The Spanish data protection authorities showed their teeth in imposing a £37000 fine on Microsoft Spain for illegally transferring personal data to the US.
Topic: Data Protection
Who: Microsoft and the Spanish Data Protection Authority
Where: Spain
When: May 2001
What happened:
Precision Marketing reported Microsoft’s signing up to the EU/USA "Safe Harbor" agreement. This followed transfers of personal data from Microsoft's Spanish arm to Microsoft in the USA, which resulted in a £37,000 fine being imposed on Microsoft Spain by Spain’s equivalent of the UK’s Information Commission. Why? Because according to the EU the USA does not currently have "adequate" data protection law. This means that unless one of four conditions is satisfied, EU-US transfer of personal data is a criminal offence. The four conditions are
(1) the individual the data relates to (the "data subject") has consented to the transfer-this can be achieved by, for example notifying the data subject at the point of collecting the data that his/her data may be transferred to a country without adequate data protection laws and providing an opportunity to opt out of this occurring or
(2) the company sending the data and the company receiving it have a written contract obliging the receiving company to handle the data in a manner fully compliant with EU data protection law or
(3) the transfer is necessary for the purpose of performing a contract between the data subject and the sending company (perhaps to deliver a book from a US warehouse to a UK purchaser on-line) or
(4) if the receiving company is a US company, that company has signed up to the EU/US "Safe Harbor" agreement. This is a voluntary scheme whereby US companies join bodies which require all companies joining them, as a condition of continuing membership, to treat personal data in a manner broadly compliant with EU data protection law.
Why this matters:
The report emphasises that Europe’s data privacy enforcers are not paper tigers and are fully prepared to police non compliance where appropriate. It also underlines the fact that intra-group transfers of personal data out of the EU are not exempt from "Data protection Principle Eight" If sending and receiving companies are separate companies, there will be a transfer of data for the purposes of these rules, regardless of whether the companies are in the same corporate group.