Transferring customer data abroad

Intra-group transfer of data outside of the EEA

Please note the Law may have changed since publication of article.

Background

Boombust Limited intends to transfer details of all its existing customers to an off shore company within the same group of companies. The final decision as to where this company will be based has not yet been taken but is likely to be Jersey or Portugal.

There are two issues here. First, Boombust is transferring customer data to a third party and secondly that transfer is possibly to be made to a place outside of the European Economic Area (the EU plus Iceland, Norway and Liechtenstein). Although the issues are linked, they are covered by two different principles under the Data Protection Act 1998 (“the Act”).

In this article we have assumed that most, if not all, of the information to be transferred relates to individuals rather than companies and that none of it is ‘sensitive data’. This means data about a person’s health, sex life, religion, politics, ethnic origin or membership of trade union.

Transfer of data to a different group company

Information required to be given:

The First Principle requires that Boombust must inform individuals of the processing of their data which is to be carried out, before that processing occurs. Boombust’s terms and conditions do not provide for such transfer. The transfer Boombust proposes is to a third party (despite being within Boombust’s group of companies) and we will assume that the information will not be anonymised before it is transferred. Boombust should inform customers of this proposed transfer before it occurs.

If Boombust decides not to do so, it will be in breach of the Act. However, if such pre-information is not viable, Boombust’s next best option would be for Boombust’s off shore company to inform customers as soon as possible after the transfer. The notification should also set out the processing that it intends to carry out in relation to the customer names. Specific legal advice should be taken in this regard.

Conditions to be fulfilled:

In addition to informing customers of the transfer, the First Principle also requires that one of a number of conditions be fulfilled before the transfer can occur. These include that Boombust have the consent of the individuals to the transfer or that it is necessary for Boombust’s ‘legitimate business interests’ provided this does not cause unwarranted prejudice to the rights and freedoms of individuals.

If Boombust is informing customers before the transfer takes place, it can couple that with gaining their consent at the same time. Depending on the sensitivity of the data being transferred, it may be sufficient to gain opt out rather than opt in consent. Individuals could be allowed to tick a box if they did not want their details transferred. See also below as regards the consent needed under the Eighth Principle.

If Boombust does not intend to inform customers of the impending transfer then, presumably, it would not want to contact them to gain consent. In that case, it will need to rely upon the ‘legitimate business interests’ condition as mentioned above. As this is a new provision under the Data Protection Act (which only came into force at the end of October 2001), there is little guidance as to what would constitute ‘legitimate business interests’. Boombust also needs to weigh up its interest against any perceived prejudice to the rights and freedoms of individuals. Boombust needs to consider the pressing commercial need to transfer this data to a third party and how its business would be affected if it did not do so. Weigh this against the fact that the data will then be handled by a different entity (but within the same group – so that, arguably, there is unlikely to be much prejudice involved) and also possibly outside of the EEA. If Boombust’s off shore company were to produce and observe a comprehensive privacy policy protecting the rights of individuals, it may be that there would be no prejudice for individuals as a result of the transfer. If that privacy policy were group wide then that would assist the argument that no prejudice flowed from the transfer.

If Boombust intended to rely upon this condition, it would probably be advisable that it show, perhaps in a board minute, that Boombust has considered the legitimate business interests (giving reasons) as well as any possible prejudice to individuals and that Boombust has concluded that the prejudice to individuals is slight to non-existent (again, giving reasons).

Transfer of data to a different territory

Portugal

This is within the EU. A transfer to this territory will simply need to comply with the First Principle.

Jersey

Jersey is outside the EEA although it does have similar data protection laws to those in the UK. The Eighth Principle prohibits the transfer of data outside of the EEA unless the recipient country/territory has an adequate system of data protection in force in respect of that data. Jersey does not have an adequate system of data protection.

As Jersey has not achieved adequacy, there are two ways to get around this. First, Boombust can seek the consent of the customers to the transfer outside of the EEA. Boombust will need to tell them where their data is to be sent, what processing of their data will be carried out by the off shore company and also mention that the data protection regime of that territory has not achieved adequacy. Ideally Boombust should obtain opt in consent so that individuals must tick a box to show that they consent to the transfer. If Boombust is complying with the First Principle by informing customers before the transfer takes place and seeking their consent to the transfer, then it can couple this with seeking consent to the transfer outside of the EEA.

If Boombust is not intending to contact all its customers it will need to use contractual provisions to allow compliance with the Eighth Principle. Boombust is allowed to ‘plug the gaps’ of a data protection regime by providing for those gaps in the contract it has with the recipient of the data. Jersey has not achieved adequacy because it has no Eighth Principle – its data protection regime is based on the UK’s old 1984 Data Protection Act which had no prohibition on the transfer of data outside of the EEA. If, in Boombust’s contract with the Jersey company, Boombust prohibits the transfer of any data by the Jersey company to any place outside of the EEA then that transfer will have achieved adequacy.

Other Territories

This is outside the scope of this article. However, apart from Hungary and Switzerland, no countries outside the EEA are deemed to have achieved adequacy in terms of their data protection regime. Thus, any proposed data transfer to any non-EEA territory will require consideration in the light of the data protection regime, if any, in operation there. Other issues to be considered prior to such transfer will include practicality of obtaining consent, legitimate business interests of the transferring company, potential prejudice to rights of the data subjects and appropriate contractual provisions governing the transfer. In the case of transfers to the US, the so-called ‘Safe Harbor’ principles will apply to legitimise the transfer of data if the recipient company within the US (rather than the state in which the company is located) has applied these principles. Specific advice should be sought on these issues.

Further action

The matters Boombust now needs to decide include:

  • Will it be contacting individual customers before the transfer takes place?
  • If not, what are its commercial needs to make the transfer?
  • Is there any prejudice to individuals as a result of the transfer?
  • Where will the off shore company be based?

Boombust should consider updating and expanding its privacy policy which, ideally, should be a group wide policy applicable to the processing of data wherever it is held within the Boombust group.

© This article is copyright Simon  Halberstam  2008 and should not be construed as legal advice or opinion in any specific facts or circumstances. the contents are intended for generic information purposes only. You are urged to contact a suitably qualified lawyer for specific advice.