US body Privacy International accused Amazon.co.uk of breaking UK data protection laws by transferring to the US personal data held about its British customers
Who: Amazocy
Who: Amazon.co.uk and Privacy International
When: September 2000
Where: UK
What happened:
US body Privacy International accused Amazon.co.uk of breaking UK data protection laws by transferring to the US personal data held about its British customers. Amazon denied any illegality, referring to the notification in its privacy policy that data might be exported to the US. FEDMA commented, however, that providing an opportunity to opt-out of such a transfer was required and this was an option which the Amazon.co.uk website did not appear to offer customers at the relevant time.
Why this matters:
It is often thought that it is illegal per se to transfer personal data (even names and addresses) from the UK to the US. This is not necessarily the case. There are three principal ways of avoiding illegality. First, by ensuring that the transfer is only for the purposes of performing a contract. For example, if stocks of products ordered on-line in the UK are held in the US and the products are to be delivered by snail mail from the US to the UK, then it is essential that the orderer's name and address is transferred to the US for that purpose. Providing the data is only used for this purpose, then this will be legal. Secondly, it can be stated clearly on the website, at the point where the data is input by the individual, that the data may be transferred out of the UK to a country which does not have adequate data protection laws. Provided this is accompanied by an opportunity to opt-out of such transfer, this should be in conformity with UK law. Thirdly, the transferor and transferee companies can enter into a bilateral written contract which obliges the transferee to deal with the data in a manner that is fully consistent with UK data protection legislation. For example, the transferee will be obliged expressly to keep the data secure, not to disclose it to third parties and to only use the data for purposes which would either have been obvious to the individual at the time that they input their data or which have been disclosed in advance at the point of collection of the data. In this connection, work is now proceeding at high levels to arrive at an approved set of model terms for such a contract which will be recognised by the European Union as placing adequate obligations on the transferee company.
Finally, it is to be hoped of course that the recently agreed safe habour principles concluded by the US and the EU will further facilitate UK/US data transfer. Since this system is entirely voluntary in the US, however, some sceptics suggest that it is merely window dressing. If so, EU data transfers may for the moment at least continue to be safer using the three main gateways described above.
