Transferring personal data out of the EU is easy, but dangerous unless one of a handful of ‘gateways’ are used.
Topic: Data protection
Who: The European Commission
Where: Brussels
When: Summer 2001
What happened:
The EU Data Protection Directive limits the circumstances in which personal data can be legally transferred out of the European Union. One legal circumstance is if the transferee state has “adequate” data protection laws, in other words data protection laws broadly similar to those of the European Union. The EU has formally accepted that Hungary and Switzerland have “adequate” laws and details of 13 other countries have also been published which the EU thinks are likely to cut the mustard. These are Australia, Canada, Guernsey, Hong Kong, the Isle of Man, Israel, Japan, Jersey, New Zealand, Poland, the Slovak Republic, Slovenia and Taiwan. Another way to make a legal transfer of “personal data” (remembering this includes even just a name and address) is to transfer data to a company under a contract which obliges the transferee company to process the data in a manner consistent with the EU Directive. To help this process, the European Commission has published a set of standard contract terms. These impose “adequate” safeguards on personal data in the hands of a transferee. Any non EEA company which uses these clauses as a matter of day to day practice must, the EC says, be recognised by EU member states as offering adequate protection and therefore acceptable for EEA concerns to transfer data to.
Why this matters:
The law here is imperfectly enforced and many are still with apparent impunity transferring personal data within group companies located inside and outside the EU, even though this is caught by the above transfer rules as much as if the companies concerned were in entirely different corporate groupings.
Apart from the “state recognition” route already mentioned, however, there are other “gateways” for legal ex EEA data transfer. For instance, with prior consent, by notifying the individual clearly at the point of data capture that their data may be transferred to a country without data protection laws equivalent to those in the EU.
Alternatively, if the transfer is necessary for the fulfilment of a contract, (e.g. delivery of a product ordered on-line which has to be dispatched from a location in the US) this will be OK regardless of the regulatory position in the transferee country, though transferors using this gateway will be well advised to oblige the transferee by contract to use the data for fulfilment purposes only.