Under the EU Data Protection Directive, there are only limited numbers of ways in which personal data can be compliantly transferred from the EU, Iceland, Norway and Liechtenstein to the US.
Importing personal data from Europe into the US
An Osborne Clarke Helpnote for US businesses
Under the EU Data Protection Directive it is ILLEGAL to import personal data into the USA from the European Economic Area (the EU* plus Iceland, Liechtenstein and Norway) unless certain exceptions from the prohibition apply.
Please note, however, that there is no automatic exception for transfers of personal data between companies within the same corporate group.
This Helpnote is an introduction to the exceptions that are most likely to apply to US businesses. From now on we will call them "Gateways." As we say, this is an introduction only: it is not legal advice. See the end of this note for who to contact for more information or advice as to whether any of them applies in a particular case.
Transfer of personal data to the US is permitted where the individuals concerned have consented to the transfer. However, to be acceptable under the EU Directive, the "consent" given must be:
"a freely given, specific and informed indication of his wishes by which the data subject signifies his agreement."
The effect of this is that to satisfy the regulators, consent must be given, for instance, by way of actively ticking an opt in box in close proximity to wording such as:
"I consent to the transfer of my data, for the purpose of [specify purpose of transfer] to [Acme Products, Inc in San Francisco, California] in the USA, whose laws will not protect that data as comprehensively as here in the EU."
Not necessarily an attractive option.
Gateway two-safe harbor
Personal data transfers to US entities who have self-certified under what is known as "Safe Harbor" will sidestep the prohibition.
Under this EU-approved scheme set up by the US Dpartment of Commerce, US companies who believe they meet the Safe Harbor requirements can certify themselves to be compliant and arrange to place themselves on the Department of Commerce's public list of all US companies who have signed up.
Embracing Safe Harbor constitutes a representation to the US Department of Commerce and the public that the company concerned adheres to a regime for data protection that is in essence equivalent to that of the EU Directive.
* Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, United Kingdom
The scheme is onerous for US data transferees and take-up by US corporations has not been as great as was hoped.
Gateway three-necessary transfer
If a transfer of personal data from the EEA to the US is "necessary for the performance of a contract" between the entity collecting the data in the EEA and the data subject, that transfer will not fall foul of the prohibition.
However, this gateway is unlikely to be available if, for example, a corporate group with branches in the UK and the US simply arranges for its own commercial reasons for all customer data collected in the UK to be automatically transferred onto a central database on an American server.
The UK regulator has advised that this "necessity" test will only be met if the transfer of the data to the US is the only way of achieving the disclosed purpose for which the data has been collected. This is a high hurdle.
Gateway four-data transfer contract
Potentially the most straightforward gateway is where a contract meeting EU requirements is in place between the US data importer and European data exporter.
The requirements for these contracts vary depending on the circumstances. The following link to the European Commission's webpage explains and provides links to model clauses developed by the Commission for various scenarios: (http://europa.eu.int/comm/justice_home/fsj/privacy/modelcontracts/index_en.htm).
Gateway five-binding corporate rules
For global corporations this may be viable. It involves developing a group-wide policy/protocol for processing personal data. This then has to be signed off by an EU state data protection law enforcement authority. That authority has to be satisfied that in terms of their effect and binding nature, the "corporate rules" in question impose on the entire group a regime equivalent to the EU Directive.
General Electric recently became the first corporation to achieve sign-off on such rules from the UK Information Commissioner's Office, thus enabling GE to transfer personal data compliantly throughout the group.
It is not necessarily straightforward to pass through any of these "Gateways." Before any arrangements/systems involving the import of personal data from the EEA into the US are put in place, it is strongly recommended that expert advice is taken.