- Privacy & Data Protection Logo -
Privacy & Data Protection

 

 

International Data Transfers

Article in Volume 1, Issue 5 (April/May 2001)
 

Model Clauses for International Data Transfers

The European Commission has finalised the drafting of the model clauses that will allow European e-businesses to transfer personal data to countries without an adequate level of protection.  Any measure to facilitate transfers can only be good for e-commerce, but what are the requirements?  Eduardo Ustaran examines.

Article 25 of the 1995 Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (the 'Data Protection Directive') placed a controversial requirement on the governments of EU Member States: to ban the transfer of personal data to any country outside the European Economic Area (which consists of the fifteen EU Member States together with Iceland, Liechtenstein and Norway) unless that third country ensures an adequate level of privacy protection.  Implementing this provision whilst promoting a truly borderless economy posed a real challenge for all EU governments.

In the UK, this requirement was incorporated as Principle 8 of the Data Protection Act 1998, which states:

'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data'.

Similar provisions have been incorporated in most European data protection laws.  This has prompted international concern about the future of partnership agreements and strategic alliances between global Internet-based businesses.  However, by way of derogation from Article 25, Article 26(2) of the Data Protection Directive provides that Member States may authorise a transfer, or a set of transfers, of personal data to third countries which do not ensure an adequate level of protection where the organisation wishing to transfer the data adduces adequate safeguards with respect to the protection of the privacy rights of individuals.

Article 26(4) goes on to say that such safeguards may result from certain standard contractual clauses approved by the European Commission.  The UK Data Protection Act implemented this provision as paragraph 8 of Schedule 4 of the Act, which states that Principle 8 does not apply in cases where:  'the transfer is made on terms which are of a kind approved by the Information Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects'.

 

The European Commission's Blessing

After more than five years of negotiations with national regulatory bodies, influential trade associations and international organisations, the European Commission has taken the final step in the adoption of standard contractual clauses.  The clauses potentially allow the transfer of personal data on a global basis.

The standard contractual clauses adopted by the Commission will be scrutinised by the European Parliament and, provided that the Parliament confirms that the Commission has followed the correct channels in the drafting of the clauses, they will be published in the EU Official Journal.  Once the standard clauses are officially published, EU Member States will have 90 days to recognise them as providing adequate safeguards.

The European Commission has stated that the standard contractual clauses are designed to facilitate transfers, but their use is not compulsory for European e-businesses that transfer data overseas.  The clauses are just one option available to those businesses and do not affect other model contracts approved by the data protection authorities of individual Member States or previous authorisations granted on this basis.

Although, in principle, Member States are bound by the Commission's decision to allow transfers on the basis of the draft standard contractual clauses, the data protection authorities of each country may require that a copy of the contract is deposited with them.  In addition, if there is a substantial likelihood that the standard contractual clauses are not being, or will not be, complied with and the continuing transfer would create an imminent risk of grave harm to individuals, the national data protection authorities may exercise their powers to prohibit or suspend any relevant transfer.

 

Obligations of an European e-Business

According to the standard contractual clauses, an EU-based e-business sharing personal data with an overseas partner must warrant and undertake:

  • that the processing of personal data up to the moment of the transfer is, and will continue to be, carried out in accordance with the local data protection law;

  • that, if the transfer involves 'sensitive' personal data, the relevant individuals will be informed (e.g. via an online Privacy Policy) that their data may be transmitted to a third country without an adequate level of data protection;

  • that it will make available, upon request, to any individual to whom the data relate, a copy of the standard clauses used in the transfer contract;

  • that it will respond to any enquiries of any such individual in relation to the overseas transfer and processing; and

  • that it will respond to any enquiries of its national data protection authority in connection with the processing carried out by the importer of the data transferred.

 

Obligations of the Overseas Partner

The standard clauses approved by the European Commission require the overseas recipient of the data to warrant and undertake:

  • that it has no reason to believe that its national legislation will affect its performance of the contract;

  • that it will process the data in accordance with the so-called nine Mandatory Data Protection Principles, which represent a minimum requirement for data protection and mirror the key requirements of the Data Protection Directive in terms of purpose limitation, data quality and proportionality, transparency, security, individuals' rights, restrictions on onward transfers, sensitive data, direct marketing and automated individual decisions;

  • that it will deal promptly and properly with all reasonable enquiries made by its European partner or the individuals to whom the data relate;

  • that it will co-operate with any relevant national data protection authority investigating the transfer or the processing carried out by the importer;

  • that it will submit, upon request of the data exporter, its data processing facilities for audit;

  • that it will make available, upon request, to any individual to whom the data relate, a copy of the standard clauses used in the transfer contract.

It is now hoped that the standard contractual clauses will be fully operational across the EU after the Summer.  The progress of this issue will certainly be relevant to many EU e-businesses seeking to rely on global partnerships for success (and survival!).

Eduardo Ustaran - Berwin Leighton Paisner
Email.  eduardo.ustaran@berwinleightonpaisner.com 

 

-end-


 

© Privacy & Data Protection Limited, 2002                                          Homepage

 

All Rights Reserved   |   Legal Notice   |   Privacy Policy   |   Site Comments?  Email webmaster