Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Pounder, Chris --- "Excuse me - but I can't see why the European Data Protectino Directive restricts transborder flows of personal data" [1999] PrivLawPRpr 38; (1999) 6(2) Privacy Law & Policy Reporter 18

Excuse me — but I can’t see why the European Data Protection Directive restricts transborder flows of personal data

Chris Pounder

At first glance the requirement for a controller who is subject to the UK legislation based on the European Union’s Data Protection Directive (95/46/EC) not to transfer personal data to a country which offers an inadequate level of protection presents a clear barrier to the global trade. However, the effect of the restrictions on these transfers, as specified in art 25 of the Directive, should not be seen in isolation from the impact of other provisions in the Directive.

As is well known, art 26 presents several broad derogations from the requirement to consider the adequacy of the protection in the territory to which personal data might be transferred. For example, if personal data is transferred with the consent of the data subject, or if the transfer is necessary for a contract which the data subject has signed, then there is no need to consider adequacy. Unless there are internationally agreed sanctions against a particular territory (in which case the transfer of personal data will be unlawful), the successful application of an derogation means that personal data can freely flow to the most despotic of regimes.

The argument presented in this text is simply stated: if controllers implement procedures to meet their obligations to process personal data fairly, transparently, lawfully and securely, then one of these derogations should apply — in which case, there is no need to consider adequacy and there is no restriction on the transfer of personal data across borders. This position contrasts to the voices, mainly raised in the US, which argue that arts 25 and 26 present a barrier to free trade.

The analysis begins with the fact that the transfer of personal data is usually associated with a disclosure of personal data, or a use of personal data by the person to whom the data have been disclosed. For instance, the transfer of personal data from the European Union (EU) to a corporate headquarters in the US would also be a disclosure from one company (in the EU) for use by another company in the same group. Whereas the provisions in arts 25 and 26 would focus on the transfer of personal data, it is the provisions in arts 6(a), 7, 10, 11, 16 and 17 which are the most relevant considerations with respect to any associated use or disclosure. Meeting these latter obligations (that is, with respect to use or disclosure of personal data) will, by their very nature, permit the transfer of such data to qualify for a derogation.

For example, consider the free flow of personnel and human resources personal data across the globe (such as from a multinational based in the EU to the US). Since most employees expect the personnel details they give to the controller (the employer) to be kept confidential, then for the controller to process personal data in such a way as to breach that duty of confidence would constitute unlawful processing (this point is well established, even under the UK’s Data Protection Act 1984). It’s worth noting at this point that this argument would apply to any confidential personal data; for example, banking, insurance and health.

Thus, in data protection terms, unlawful processing could arise if, for example, personal data were disclosed (that is, transferred) to a third party in the US so that the data could be used for another purpose, or if the transfer abroad placed the data in an insecure environment so that there was an evident danger of disclosure to unauthorised persons.

However, the law of confidence is not an absolute, and in general, it permits three circumstances under which it is permissible to breach a confidence. This means it would be lawful to process personal data in the following circumstances:

1. The processing was necessary to meet a statutory obligation. In an international context it is extremely unlikely that such an obligation would require a controller unconnected with government to directly transfer personal data outside the EU (for example, to an organisation based in the US); hence this condition is irrelevant to the basic argument presented here. Usually international obligations only commit governments to exchange personal data, in which case a controller might be faced with a legal obligation to disclose to a government body, which then transfers the personal data in accordance with any international agreement. In these circumstances it will be the government body which will have to ensure that the transfer is legitimate in terms of arts 25 and 26, not the controller.
2. The processing was in the public interest. Article 26 permits transfers if disclosure ‘is necessary ... on important public interest grounds’. Thus, if the US police asked for a transfer of personal data with respect to a particular data subject suspected of being involved in a serious crime (such as murder or rape), then it is likely that the test of important public interest would be satisfied. It is less likely that the test would be satisfied in the case of a lesser crime such as minor theft. Similarly, the test of important public interest would be likely to be satisfied if the US authorities requested information with respect to a contagious disease in circumstances where failure to disclose or transfer personal data would create a significant risk of causing serious harm to others (that is, to public health in general). Under the UK legislation, the Secretary of State has powers to determine that important public interest grounds include those circumstances where there are international obligations with respect to transfers of personal data between administrations.
3. The processing has the consent of the data subject. Under art 7, obtaining ‘unambiguous consent’ for any processing legitimises that processing (unless the processing itself has been made unlawful by other legislation, in which case the consent cannot override this restriction; this is a condition which is often overlooked, by public bodies in particular). Article 26 permits unrestricted transfers when the data subject has ‘given his consent’ or when transfer ‘is necessary to the performance of a contract’. Since this distinction is blurred (as consent is often obtained via a signature on a contract), then both derogations could well apply to transfers of personal data. For example, suppose a person who obtains a credit card is, as part of contractual requirements, clearly alerted to the implications for transfers of confidential personal data (for example, creditworthiness) should that card be used in an ‘inadequate’ country. It is difficult to see how a restriction on transfer can arise, as the use of the card legitimises the transfer in terms of the consent or contract derogations of art 26.

In summary, the point is this: if the law of confidence is maintained (such as by obtaining consent for a use or disclosure of confidential personal data), then one of the derogations in art 26 will apply to the transfer, and there will be no need to consider adequacy.

The next issue is whether an organisation based within the EU is prevented from using a suitable processor anywhere outside the EU. The main conclusion is that as long as the controller takes its security obligations as specified in arts 16 and 17 to heart (by identifying in advance the appropriate security and other data protection standards which govern all aspects of the processing), takes the required care to choose a processor that can guarantee their adoption, and instigates the necessary audit controls, then no significant obstacles should be encountered — that is, there will be no restriction on transfer.

This conclusion is derived as follows:

• The transfer of personal data to the processor outside the EU should take place in circumstances where the provisions of the Directive will continue to apply to the processing of the personal data after the transfer. As far as art 4 is concerned, it does not matter where the personal data is processed — what matters is that the controller is established within the EU. Thus, even if the processor is situated in Inner Mongolia or outer space, the full rigor of the data protection legislation applies to the processing of personal data, so that rights of data subjects are maintained and the powers of the Commissioner with respect to the processing to enforce data protection rules apply.
• A processor, by definition (art 1), is a person who ‘processes personal data on behalf of the controller’; this means that a processor cannot process, for its own purposes, personal data held by its client (the controller). This is reinforced by art 17, which requires contracts to cover the security and nature of the processing, and that the processor ‘shall act only on the instructions from the controller’. Thus, if a US-based processor were to process personal data for purposes which are not covered by the controller’s instructions, or if that processor failed to adopt that controller’s security and data protection standards, then data subjects would have redress against the controller — that is, they could sue that controller for compensation as a result of that breach.
• Article 26, as implemented by the Eighth Principle of the UK’s Data Protection Act 1998, permits the Commissioner to authorise transfers which ‘ensure adequate safeguards for the rights and freedoms of data subjects’. The UK Commissioner can hardly refuse such authorisation, since the appropriate safeguards are guaranteed because the Act applies to any processor. Similarly, art 26 itself relates to ‘safeguards’ in ‘appropriate contractual clauses’; any contract with a processor which failed to achieve the necessary requirements is also likely to be in breach of the contractual requirements specified by art 17(4) which binds the processor to the controller.

A different set of data protection issues arise when the organisation outside the EU can process the transferred personal data for its own purposes (that is, the organisation is not acting as a processor). Here, the fairness and transparency criteria become the crucial data protection factors.

So let us assume that a controller based in the EU wishes to transfer personal data to another organisation in the US which then intends to use the personal data for another purpose. In this case, the data protection legislation requires that prior to any transfer or disclosure to the US:

• the processing operation (that is, the disclosure to the US) is legitimised in terms of art 7 (and art 8 if ‘special categories’ of personal data are processed); and
• ‘fair processing’ as described in arts 10 and 11 is guaranteed.

Assuming that the use by the organisation based in the US was non-obvious and that no exemption applies to these ‘fairness’ requirements (such as might apply to a transfer of personal data between public authorities engaged in law enforcement), the impact of these requirements is to make the existence of the US-based organisation, and the purpose of the processing in the US, known to the data subject (unless this was obvious from the context in which the personal data was obtained, or unless an exemption from providing such fair-obtaining information applied). Article 10, for instance, refers to the ‘purpose of the processing’ (that is, the purpose behind a disclosure to the US) and ‘further information ... necessary ... to guarantee fair processing’. This can include where personal data is processed.

This point is made even clearer from the wording of the Second Principle of the Data Protection Act 1998 which again implements parts of arts 10 and 11. Here the key requirement is for a UK-based controller, prior to disclosure, to have regard ‘to the purposes or purposes for which the personal data are intended to be processed by any person to whom they are disclosed’. This would entail consideration, by the controller, of the purpose of processing by the US-based organisation and of any other subsequent disclosure to be made by that organisation. Having identified these intended purposes and disclosures in advance of any transfer, the UK-based controller is therefore in a clear position to inform data subjects to ‘guarantee fair processing in respect of the data subject’. Failure to make an appropriate statement is likely to be a breach of this Principle.

Of course, if such purposes and disclosures are fully declared to data subjects in an appropriate fair obtaining statement, then the data subject, by agreeing to such conditions, is freely consenting to usages such as to the use and disclosure of the information by a US-based organi-sation. By giving such consent, the transfer to the US can proceed without consideration to adequacy, because as has been said before, consent is one of the derogation conditions specified in art 26.

In summary, therefore, if a controller meets the requirement in art 6(a) to process personal data ‘fairly and lawfully’, the obligation to comply with transparency rules when personal data is collected by a controller (as specified in arts 10 and 11), and the controller’s obligations towards the security of processing as outlined in arts 16 and 17, then it can be expected that most transfers can proceed without regard to any test of inadequacy.

Chris Pounder, Data Protection News, Cap Gemini UK plc, 95 Wandsworth Road, London SW8 2HG.

Tel: +44 (0) 171-917 4362/4704,

fax: +44 (0) 171-917-4666,

email: <dp.news@capgemini.co.uk> or <chris.pounder@capgemini.co.uk>.