go to our parent website - SGH Law go to Weblaw start page 
 
Home » Articles » 0
 

Transmission of Data to Other Countries

Economic realities often dictate that it is far more cost-effective to send data abroad for processing than to process it within the UK.

In the light of the new Data Protection Act 1998 ("the 1998 Act"), the question arises as to the legal implications of storing and processing data abroad in countries where there may be no effective systems of data protection. The data in question will most typically relate to employees, sub-contractors and/or customers.

If a UK company now intends to store and process data outside the EEA, there are various important safeguards which should be put in place. These are described in outline and then more detail below.

Summary of Appropriate Safeguards

The UK company should:

  1. enter into a formal contract with the company to which the data is transferred, requiring that company to comply with the Principles of Data Protection and other requirements of the 1998 Act
  2. if possible, retain decision-making control over the processing of the data;
  3. if possible, obtain consent to the transfer of the data from the data subjects;
  4. amend its registration with the Data Protection Commissioner to ensure that it covers the transfer of the data;
  5. seek the Data Protection Commissioner's approval of the contract suggested above;
  6. check its licences of any third party software or databases which may be transferred.

Whilst it is not possible at this stage to predict how the Data Protection Commissioner will apply the 1998 Act, it would seem that if the above recommendations are followed, the legal obstacles to such a transfer and processing of the data to and by another company would be minimised.

Detailed explanations of the above recommendations follow.

The 1998 Act

Under the Data Protection Act 1984 ("the 1984 Act"), which is currently in force, there is no automatic prohibition on the transfer of data from the UK to other countries. The Data Protection Registrar can serve a notice prohibiting transfer, but in practice this power has been used very rarely.

However, the position will change significantly when the 1998 Act, implementing the EC Data Protection Directive ("the Directive"), comes into force later this year. It is understood that the Act is unlikely now to be brought into force before the end of July, and that September is considered to be the earliest realistic possibility.

There are "grandfather provisions" allowing existing activities to continue over a three-year transitional period. However these only apply to the extent that processing was "under way" before 24 October 1998. It would seem that transfer of data to another country could be regarded in itself as a new processing which was not under way before that date, and that it would therefore be unsafe to rely on this transitional relief.

Transfer of Data to Other Countries

The principles of data protection which must be observed under the new regime include:

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Whether the foreign country "ensures an adequate level of protection …" is clearly a critical question. The Act contains a list of principles to be used in assessing this issue. However, if there is a ruling of the EU Commission on the point, this will be binding in accordance with article 25 of the Directive, and it is contemplated that the general question will be resolved in due course by the EU and through negotiations between the EU and other countries, rather than by the individual member states of the EU.

The EU Commission contemplated at one stage establishing a "White List" of countries considered to provide an adequate level of protection, but it is now thought that this is politically too controversial. A major difficulty is that it would be difficult to regard many of the states of the US as meeting the requirement without bending the rules, but a negative decision of the EU commission in relation to the US would be highly contentious and disruptive of trade. There have been discussions between the EU and the US Department of Trade, but it appears that these have not produced any resolution.

Data Protection by Contracts

A possible solution to the general problem of reconciling the Directive with the requirements of international trade with countries which do not have data protection legislation is to allow data transfer in cases where data protection is assured by contractual terms. An EU Working Party reported in April 1998 that this would be particularly suitable in the case of intra-company transfers, provided that the contract obliged the transferee to comply with the requirements of the Directive.

Against this background, it is thought that the UK authorities will be cautious about making any general findings as to the adequacy of protection in other countries, and will try to decide cases on the basis of the adequacy of the protection of the data in the particular case. This approach can be justified in that the principles for assessing adequacy of protection state that an adequate level

is one which is adequate in all the circumstances of the case

and go on to refer to

(g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and
(h) any security measures taken in respect of the data in that country or territory.

Contractual Requirements

Having regard to the guidance given by the EU Working Party, the contract should:

Require the company to which the data is transferred to comply with the 1st to 7th Principles of Data Protection as set out in the 1998 Act, namely (in summary) that personal data shall:

  1. be processed lawfully and fairly (note that what is considered "fair" is very limited in relation to "sensitive personal data" such as racial or ethnic origin, political or religious opinions, trade union membership, physical or mental health, sexual life, or criminal offences);
  2. be obtained only for one or more specified and lawful purposes and not be processed in any manner incompatible with such purpose(s);
  3. be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  4. be accurate and kept up-to-date;
  5. not be kept for longer than is necessary;
  6. be processed in accordance with the rights of the individuals concerned under the Act;
  7. be protected by appropriate technical and organisational measures against unauthorised or unlawful processing or accidental loss or damage;
  1. Set out in detail the purposes, methods and circumstances of the data-processing and the way in which the above Principles are to be implemented;
  2. Require compliance with the rights of data subjects under the 1998 Act as regards access, rectification and objections to processing;
  3. If possible, ensure that the UK company retains decision-making control over the processing of the data;
  4. Specify that the UK company remains liable to data subjects for any failure to comply with the above Principles;
  5. Prohibit onward transfers of the data to third parties without the consent of the UK company (which should only given if the third party enters into a satisfactory contract with the UK company).

Whilst it is not possible at this stage to predict how the Data Protection Commissioner will apply the 1998 Act, it would seem that if the above recommendations are followed, the legal obstacles to such a transfer and processing of the data to and by another company would be minimised.

Detailed explanations of the above recommendations follow.

Other Exemptions

The transfer of data is also exempted from the 8th Principle where:

  1. the data subject has given consent to the transfer;
  2. the transfer is necessary for the performance of a contract between the data subject and the Data Controller or for steps taken at the request of the data subject with a view to his entering into a contract with the Data Controller;
  3. the transfer is necessary for the conclusion or performance of a contract between the data subject and a third party entered into at the request of or in the interest of the data subject; or
  4. the transfer is authorised or made on terms of a kind approved by the Data Protection Commissioner on the basis that adequate safeguards for the rights and freedom of data subjects are ensured.

It will therefore be desirable for the UK company to obtain consent for the transfer of the data to other group companies from all employees, contract staff and other individuals who are the subjects of the data. If this is done, the transfer will be exempt from the 8th Principle of Data Protection under (i) above. Obtaining consents should be straightforward in relation to all new staff and contacts, but may possibly present difficulties in relation to existing ones. Obtaining consent would also help in ensuring compliance with the First Principle of Data Protection (fair use).

Registration

The UK company should be registered already as a Data User under the 1984 Act and this registration should be reviewed and, if necessary, amended to cover the proposed transfer of data. At the same time, the Registrar/Commissioner can be asked to approve the contract. If it is approved, the transfers will be exempt under (d). If approval is delayed because of the workload of the Registry, the company is unlikely to be penalised for proceeding with it having made full disclosure to the Registry unless the arrangements are seriously deficient.

Confidentiality

It should also be noted that the UK company could be liable for misuse of confidential information contrary to the general law if it used or disclosed confidential data for purposes other than those for which the data was confided to it.

Copyright and Database Rights

Licences of third party software and databases used by the UK company may be limited to use by that company alone, or only in the UK, or on a limited number of computers, or even on particular computers or at particular premises. The company should check its contracts in relation to each third party product which may be transferred to other countries.

Sprecher Grier Halberstam has produced a guide to the legal issues including a detachable email policy for employees and provide in-house seminars to companies on the legal implications involved in doing business on the WWW.

© This article is copyright Sprecher Grier Halberstam LLP 2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.

jump to top

 
sitemap | privacy policy | e-commerce links | ask the IT expert | Book a Speaker | brochure