If it’s all in the same corporate group, transfers of customer/prospect data from the UK to the US are automatically OK, yes? Certainly not, at least until an EC data protection working party came up with proposals for how this might legally happen.
Topic: Data Protection
Who: 'The Article 29 Working Party'
Where: Brussels
When: July 2003
What happened:
The European Commission has recently issued a 'Working Document' which introduces another compliance option for European subsidiaries and affiliates of US companies who want to compliantly transfer personal data to the US.
The development comes from the 'Article 29 Working Party,' the body charged with overseeing the operation of data protection legislation in the European Union.
On the face of it, this should be welcome news for companies operating in the European Union wishing to share personal data within a corporate group that includes companies operating in countries like the US.
This is because, under European Union data protection law and subject to a small number of exceptions, personal data may only be transferred from a European Union country to a country outside the European Economic Area (the EU plus Norway, Liechtsenstein and Iceland) if that country has 'adequate' data protection laws.
So far, only Switzerland, Hungary, Canada and Argentina have been recognised by the European Union has having 'adequate' data protection law, so for those wanting to transfer personal data to companies in the US, for example, unless one of the exceptions applies, this simply cannot be done legally.
In a commercial/marketing context, there are currently five exceptions to this rule. These are:-
Those US companies who have signed up to safe harbor can be checked out on a website, but relatively few have done because the implications of signing up are regarded as far too onerous;
the transfer is with the prior unambiguous consent of the data subject. One of the more practical solutions to international data transfer, this ought to be available provided the data subject has been informed of the possibility of the transfer at the point of his data being collected, told then what this might mean as so far as the security of his data is concerned and perhaps ideally given the opportunity of opting out of the transfer. However, what makes this option slightly less attractive is that different European Union Countries might have a different approach to what constitutes 'unambiguous consent';
the transfer is necessary for the conclusion or performance of a contract between the data subject and a third party.
In light of the above, any further compliance option for intra-group data transfers must be attractive, so the Article 29 Working Party 'Working Document' has generated a fair deal of interest.
On closer examination, however, it may not offer too much relief from the rigours of either 'safe harbor' or the 'standard contractual clauses'.
Just some of the requirements of the Working Document are as follows:-
- the corporate group within which the data is to be transferred must grant rights to the relevant data subjects to enforce compliance with the 'standard contractual clauses';
- the group must also be able to demonstrate that its internal privacy policy is known, understood and effectively applied throughout the group by way of appropriate training and information availability;
- the group must appoint the appropriate staff (with top management support) to oversee and ensure compliance;
- the group's internal privacy policy must provide for self audits and/or external supervision by accredited auditors on a regular basis with direct reporting to the board of directors of the parent company;
- the group must set up a system by which individuals' complaints are dealt with by a clearly identified complaint handling department;
- the internal privacy policy itself must contain clear duties of cooperation with the national data protection authorities;
- there must be an unambiguous undertaking that the corporate group as a whole and any of its members separately will abide by the advice of the competent data protection authority on any issues related to the interpretation and application of its internal privacy policy; and
- the group must designate an affiliate in the European Union to which data protection responsibilities will be delegated, including the responsibility to pay compensation for any damages resulting from the violation of the internal privacy policy.
Why this matters:
As indicated above, initial reception from some US quarters to this development has not been terribly warm, and in any event it must be borne in mind that the Working Document only represents one view of how data protection legislation should be applied in practice. It is not binding on national data protection authorities, who would, under the Working Document, have to ratify or approve each relevant global privacy policy before it could be used by a corporate group to legitimise data transfers.
Comments on the Working Document are being requested by the European Commission by 30 September 2003, and it remains to be seen what level of enthusiasm there is for this development on both sides of the pond.