If it’s all in the same corporate group, transfers of customer/prospect data from the UK to the US are automatically OK, yes? Certainly not, at least until an EC data protection working party came up with proposals for how this might legally happen.
Topic: Data Protection
Who: 'The Article 29 Working Party'
When: July 2003
The European Commission has recently issued a 'Working Document' which introduces another compliance option for European subsidiaries and affiliates of US companies who want to compliantly transfer personal data to the US.
The development comes from the 'Article 29 Working Party,' the body charged with overseeing the operation of data protection legislation in the European Union.
On the face of it, this should be welcome news for companies operating in the European Union wishing to share personal data within a corporate group that includes companies operating in countries like the US.
This is because, under European Union data protection law and subject to a small number of exceptions, personal data may only be transferred from a European Union country to a country outside the European Economic Area (the EU plus Norway, Liechtsenstein and Iceland) if that country has 'adequate' data protection laws.
So far, only Switzerland, Hungary, Canada and Argentina have been recognised by the European Union has having 'adequate' data protection law, so for those wanting to transfer personal data to companies in the US, for example, unless one of the exceptions applies, this simply cannot be done legally.
In a commercial/marketing context, there are currently five exceptions to this rule. These are:-
Those US companies who have signed up to safe harbor can be checked out on a website, but relatively few have done because the implications of signing up are regarded as far too onerous;
the transfer is with the prior unambiguous consent of the data subject. One of the more practical solutions to international data transfer, this ought to be available provided the data subject has been informed of the possibility of the transfer at the point of his data being collected, told then what this might mean as so far as the security of his data is concerned and perhaps ideally given the opportunity of opting out of the transfer. However, what makes this option slightly less attractive is that different European Union Countries might have a different approach to what constitutes 'unambiguous consent';
the transfer is necessary for the conclusion or performance of a contract between the data subject and a third party.
In light of the above, any further compliance option for intra-group data transfers must be attractive, so the Article 29 Working Party 'Working Document' has generated a fair deal of interest.
On closer examination, however, it may not offer too much relief from the rigours of either 'safe harbor' or the 'standard contractual clauses'.
Just some of the requirements of the Working Document are as follows:-
- the corporate group within which the data is to be transferred must grant rights to the relevant data subjects to enforce compliance with the 'standard contractual clauses';
- the group must appoint the appropriate staff (with top management support) to oversee and ensure compliance;
- the group must set up a system by which individuals' complaints are dealt with by a clearly identified complaint handling department;
Why this matters:
Comments on the Working Document are being requested by the European Commission by 30 September 2003, and it remains to be seen what level of enthusiasm there is for this development on both sides of the pond.