Confusion continues over how personal data can be compliantly transferred from the European Economic Area to an outside country such as the US which is not EU-recognised as having ‘adequate’ data protection laws. But a newly published ICO legal analysis offers help.
Topic: Data watchdog lends helping hand on data export
Who: The Information Commissioner's Office ("ICO")
Where: Wilmslow, Cheshire
When: June 2006
The office of the UK's data protection watchdog, the Information Commissioner, published a "Legal analysis and recommended approach" ("Guidance") to international transfers of personal data.
Exporting personal data out of the European Economic Area (The EU, Iceland, Liechtenstein and Norway) must be handled with care. The Eighth Principle of the Data Protection Act 1998 ("DPP 8") governs personal data transfers out of the UK and for practical purposes there are likely to be only five ways for marketers to do it legally.
These "gateways" as marketinglaw.co.uk calls them are as follows:
1. the importing country is recognised by the EU as having "adequate" data protection laws. Currently only five countries enjoy this status: Argentina, Canada, Guernsey, Isle of Man and Switzerland;
2. the importing country is the USA and the US entity receiving the data has self certified under the "Safe Harbor" scheme;
3. the transfer is between companies within the same corporate group and the group has obtained formal approval to its data handling procedures under the "Binding Corporate Rules" system;
4. there is a signed agreement in place between the exporting and importing entities which governs the data transfer and contains "Model Clauses" published by the European Commission;
5. the data subject has given his or her unambiguous consent to the export.
In the Guidance the ICO opens by telling us that the views it expresses are informed by continuing discussions with international businesses, fellow EU data protection commissioners and non-EU authorities. No "ivory tower" syndrome here then.
In the introduction the Guidance reminds us that even if DPP 8 is followed to the letter, the other seven data protection principles must also be complied with. For example there is the first principle, which requires that personal data must be processed fairly and lawfully and the seventh principle, which impacts on transfers of personal data by UK data controllers to overseas sub contractors (or "data processors" in data protection speak), such as contact centres.
Secondly and ominously, we are informed that whenever in future the ICO is examining data exports, it will expect to see evidence that the data controller making the transfer has followed the approach and the various criteria set out in the Guidance.
Given the restrictions that apply here the ICO suggests consideration be given to anonymisation. If the data does not relate to living individuals the rules don't apply.
Four step approach
The ICO suggests that good practice for potential personal data exporters should be to adopt a four step approach as follows:
1. consider whether there will be a transfer to a "third country" (data protection speak for any country outside the EEA). This will not be happening in a "mere transit" situation, where data is for instance routed through a third country on its way to another EEA state. There will also be no relevant transfer if personal data remains in the EEA, but happens to be accessible, for instance on a website, from countries outside the EEA;
2. consider whether the circumstances are such that at its destination in the third country the data will have an "adequate" level of protection. This is easy if the data is going to Australia, Canada, Guernsey, Isle of Man or Switzerland. It's also straight forward if the transfer is to the USA and safe harbor applies. The third and least attractive option is to undertake one's own enquiries into the laws and systems of the importing third country and establish for oneself whether taking into account the circumstances of the particular export contemplated, there is an "adequate" level of protection. The detailed help on this aspect in the Guidance makes it clear that this is not an overnight exercise and for most marketers this will not be a practical option unless repeated, large scale and commercially essential exports to the country in question are planned;
3. if step 2 does not help, the parties to the transfer should look into putting in place their own "adequate safeguards." There are two ways of doing this. First there is the complex, resource intensive and long winded "Binding corporate rules" option for multinationals. Only a handful of corporates have so far bitten on this relatively new gateway involving seeking formal approval to protocols and systems from the data protection commissioner of every EEA state from which data will be transferred.
The alternative way forward here is the use of approved "model clauses" in executed contracts between data exporter and data importer. Ideally these provisions would be included in the overall contract governing the arrangements in question. Two alternative sets of clauses have been approved for transfers between data controllers and one set for data controller to data processor transfers. Helpfully the ICO tells us that "none of the versions of the model clauses may be amended. " However it then goes on to say that using different wording may still allow "adequacy." This will only be the case, however, if they have the same meaning and effect as the model clauses and the exporter can be shown to have gone through the exercise in step 2 of determining whether at its destination the data will have adequate protection. Not deeply attractive
4. even if step 3 is not available, there may be other gateways. Out of the seven cited here, only two are likely to be worth considering for marketers and in most cases one suspects they will not be viable.
First there is the consent of the data subject. Here the ICO underlines that to give valid consent for these purposes, the data subject must have a real opportunity to withhold their consent without suffering any penalty, or to withdraw it if they subsequently change their mind. In other words, tactics that will not work include incorporating consent to overseas transfer as part of a package of terms the individual has to confirm agreement to in order to enter a prize promotion.
Alternatively there is being able to show that the data transfer is "necessary for the performance of a contract between data controller and data subject." The dampener here is that the transfers have to be absolutely "necessary", so that where they are only occurring to provide cost efficiencies this will not qualify. The ICO cites an example here of a transfer of employee data from an EEA subsidiary to a US parent in order to centralise a multinational's HR and payment functions. This will not qualify as a "necessary" transfer.
On the other hand, a transfer that might qualify here as "necessary" would be a travel agency in the EEA transferring its customers' data to hotels in third countries where the customers have booked accommodation.
Useful section on outsourcing to third country data processors
In the fifth and last section the Guidance focuses on data exports to data processors in third countries to carry out processing on the data controller's behalf.
The ICO reminds us of the seventh data protection principle ("DPP 7") and the requirements it places as to the contract between the parties and aspects such as security measures.
Separately there is the not entirely straightforward interaction between DPP 7 and DPP 8. The model clauses for data controller/data processor transfers will work here and should facilitate compliance with both principles, the ICO says. Even if these model clauses are not used, DPP 8 may still be complied with. This may occur for example by way of compliance with DPP 7 and the data controller being able to show that it has carried out its own checks into adequacy along the lines set out for Step 2.
The ICO indicates that in this context, it may not require that the laborious "general adequacy" and "legal adequacy" checks in step 2 have been satisfactorily conducted in full. However it would expect the data controller to make due diligence checks in relation to the data processor (which DPP 7 requires in any event) and "conduct some examination of the type of matters usually looked at in relation to adequacy (e.g. the nature of the data, the country in which the data processor is located and the security arrangements in that country)."
Use of sub processors
Finally in this context, the Guidance focuses on use of overseas "sub processors" by data processors. Here since the data controller will remain liable for compliance it must satisfy itself that such subcontracting will not materially increase the risks to the data. It should as part of this process conduct its own due diligence checks into both the head processor and any sub processor. Also, the data controller/main data processor contract must expressly permit such sub contracting and require that any sub processing contract is in equivalent terms to the head processing contract.
Why this matters
This Guidance is clear and helpful on the issues covered and should prove an invaluable aide to all those involved in the types of data processing covered. However it also underlines the still cumbersome and involved self help steps required of all UK data controllers or data processors contemplating exports of personal data outside the EEA.