Privacy Law and Policy Reporter
At first glance the requirement for a controller who is subject to the UK legislation based on the European Union’s Data Protection Directive (95/46/EC) not to transfer personal data to a country which offers an inadequate level of protection presents a clear barrier to the global trade. However, the effect of the restrictions on these transfers, as specified in art 25 of the Directive, should not be seen in isolation from the impact of other provisions in the Directive.
As is well known, art 26 presents several broad derogations from the requirement to consider the adequacy of the protection in the territory to which personal data might be transferred. For example, if personal data is transferred with the consent of the data subject, or if the transfer is necessary for a contract which the data subject has signed, then there is no need to consider adequacy. Unless there are internationally agreed sanctions against a particular territory (in which case the transfer of personal data will be unlawful), the successful application of an derogation means that personal data can freely flow to the most despotic of regimes.
The argument presented in this text is simply stated: if controllers implement procedures to meet their obligations to process personal data fairly, transparently, lawfully and securely, then one of these derogations should apply — in which case, there is no need to consider adequacy and there is no restriction on the transfer of personal data across borders. This position contrasts to the voices, mainly raised in the US, which argue that arts 25 and 26 present a barrier to free trade.
The analysis begins with the fact that the transfer of personal data is usually associated with a disclosure of personal data, or a use of personal data by the person to whom the data have been disclosed. For instance, the transfer of personal data from the European Union (EU) to a corporate headquarters in the US would also be a disclosure from one company (in the EU) for use by another company in the same group. Whereas the provisions in arts 25 and 26 would focus on the transfer of personal data, it is the provisions in arts 6(a), 7, 10, 11, 16 and 17 which are the most relevant considerations with respect to any associated use or disclosure. Meeting these latter obligations (that is, with respect to use or disclosure of personal data) will, by their very nature, permit the transfer of such data to qualify for a derogation.
For example, consider the free flow of personnel and human resources personal data across the globe (such as from a multinational based in the EU to the US). Since most employees expect the personnel details they give to the controller (the employer) to be kept confidential, then for the controller to process personal data in such a way as to breach that duty of confidence would constitute unlawful processing (this point is well established, even under the UK’s Data Protection Act 1984). It’s worth noting at this point that this argument would apply to any confidential personal data; for example, banking, insurance and health.
Thus, in data protection terms, unlawful processing could arise if, for example, personal data were disclosed (that is, transferred) to a third party in the US so that the data could be used for another purpose, or if the transfer abroad placed the data in an insecure environment so that there was an evident danger of disclosure to unauthorised persons.
However, the law of confidence is not an absolute, and in general, it permits three circumstances under which it is permissible to breach a confidence. This means it would be lawful to process personal data in the following circumstances:
In summary, the point is this: if the law of confidence is maintained (such as by obtaining consent for a use or disclosure of confidential personal data), then one of the derogations in art 26 will apply to the transfer, and there will be no need to consider adequacy.
The next issue is whether an organisation based within the EU is prevented from using a suitable processor anywhere outside the EU. The main conclusion is that as long as the controller takes its security obligations as specified in arts 16 and 17 to heart (by identifying in advance the appropriate security and other data protection standards which govern all aspects of the processing), takes the required care to choose a processor that can guarantee their adoption, and instigates the necessary audit controls, then no significant obstacles should be encountered — that is, there will be no restriction on transfer.
This conclusion is derived as follows:
A different set of data protection issues arise when the organisation outside the EU can process the transferred personal data for its own purposes (that is, the organisation is not acting as a processor). Here, the fairness and transparency criteria become the crucial data protection factors.
So let us assume that a controller based in the EU wishes to transfer personal data to another organisation in the US which then intends to use the personal data for another purpose. In this case, the data protection legislation requires that prior to any transfer or disclosure to the US:
Assuming that the use by the organisation based in the US was non-obvious and that no exemption applies to these ‘fairness’ requirements (such as might apply to a transfer of personal data between public authorities engaged in law enforcement), the impact of these requirements is to make the existence of the US-based organisation, and the purpose of the processing in the US, known to the data subject (unless this was obvious from the context in which the personal data was obtained, or unless an exemption from providing such fair-obtaining information applied). Article 10, for instance, refers to the ‘purpose of the processing’ (that is, the purpose behind a disclosure to the US) and ‘further information ... necessary ... to guarantee fair processing’. This can include where personal data is processed.
This point is made even clearer from the wording of the Second Principle of the Data Protection Act 1998 which again implements parts of arts 10 and 11. Here the key requirement is for a UK-based controller, prior to disclosure, to have regard ‘to the purposes or purposes for which the personal data are intended to be processed by any person to whom they are disclosed’. This would entail consideration, by the controller, of the purpose of processing by the US-based organisation and of any other subsequent disclosure to be made by that organisation. Having identified these intended purposes and disclosures in advance of any transfer, the UK-based controller is therefore in a clear position to inform data subjects to ‘guarantee fair processing in respect of the data subject’. Failure to make an appropriate statement is likely to be a breach of this Principle.
Of course, if such purposes and disclosures are fully declared to data subjects in an appropriate fair obtaining statement, then the data subject, by agreeing to such conditions, is freely consenting to usages such as to the use and disclosure of the information by a US-based organi-sation. By giving such consent, the transfer to the US can proceed without consideration to adequacy, because as has been said before, consent is one of the derogation conditions specified in art 26.
In summary, therefore, if a controller meets the requirement in art 6(a) to process personal data ‘fairly and lawfully’, the obligation to comply with transparency rules when personal data is collected by a controller (as specified in arts 10 and 11), and the controller’s obligations towards the security of processing as outlined in arts 16 and 17, then it can be expected that most transfers can proceed without regard to any test of inadequacy.
Chris Pounder, Data Protection News, Cap Gemini UK plc, 95 Wandsworth Road, London SW8 2HG.
Tel: +44 (0) 171-917 4362/4704,
fax: +44 (0) 171-917-4666,
email: <firstname.lastname@example.org> or <email@example.com>.