Gathering Clouds – Transferring Personal Data outside the EEA

Whereas data protection is largely standardised in the EEA and transfers within the EEA raise no issues, transfers to most other jurisdictions, notably the USA may raise complex legal issues. The 8th principle of the Data Protection Act 1988 (‘DPA’) stipulates that Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
However, in a global, increasingly cloud-based economy, data transfers between the EEA and the USA and other countries are inevitable. Thus, mechanisms have been developed to accommodate this. First there are the ‘Safe Harbor’ rules to which US companies may sign up agreeing to be bound by rules akin to those set out in the DPA. There are also Binding Coroprate Rules (‘BCR’) and Model Contractual Rules (‘MCR’) that can be invoked to address the problem. BCR are a set of inter-company rules reflecting the 8 DPA principles. These are only valid for data transfers from EEA companies to their non-EEA affiliates. The European Commission has approved MCR which comprise model contractual clauses that can be implemented into contracts for data transfers from EEA companies to unaffiliated non-EEA companies.
Data Controllers and Data Processors
The DPA distinguishes between a Data Controller is a person who alone, jointly or in common with others determines the purposes for which and the manner in which any personal data are processed and is responsible for ensuring compliance with the provisions of the DPA. Where Data Controllers have external contractors process data on their behalf, the latter are known as “Data Processors”.  But the Data Controller nevertheless remains responsible for the actions of the Data Processors.
Where an EU Data Controller sends personal data to a non-EEA Data Processor, the MCR can be invoked. In today’s cloud-based environment, data may pass through numerous different processors and countries. It is not realistic to expect the Data Controller to monitor each such transfer so it has been deemed sufficient for the non-EEA Data Processor to obtain the consent of the EU Data Controller prior to entering into an agreement to send personal data to a sub-processor and for the Data Processor to enter into an agremeent with sub-processors to process and handle the data in accordance with EU data protection law.