The European Commission has published a list of FAQs (and answers) on the transfer of personal data from the EEA to third countries.
The Data Protection Directive 95/46 provides that personal data transfers outside the European Economic Area (EEA) may only take place if there is an "adequate level of protection" provided for that data in the destination country. Despite some relaxation of this absolute prohibition in the Directive (e.g. providing a Safe Harbors regime for EEA-US transfers) many organisations still struggle to interpret and apply the rule in practice. The FAQs ostensibly attempt to clarify the most common issues for organisations, breaking these down into four main categories:
- General Questions: High-level issues include defining what an international transfer of personal data means. For instance, disclosing data in an email or 'taking action' to make data available in a third country is regarded as a transfer but not loading personal data on to an internet page hosted in the EEA which may happen to be accessible overseas.
- Standard Contractual Clauses: There are three sets of standard contractual clauses (Clauses) currently approved by the European Commission as offering sufficient safeguards to meet the 'adequacy' requirement under the Directive. Two sets of Clauses are for data controller to data controller transfers and another set of Clauses governs data controller to data processor transfers.
Adopting the Clauses word-for-word will achieve compliance with the EU legal standard. At the same time, use of the Clauses is not mandatory, and organisations can choose to adopt their own contract terms for the transfer, although they will no longer benefit from automatic pre-approval. The FAQs refer to organisations being able to seek approval for their own contract clauses from national data protection authorities, however the Information Commissioner (ICO) in the UK does not currently provide such approval for organisations nor does the ICO need to be notified of a particular data transfer, unlike some other EEA countries.
- Questions regarding Binding Corporate Rules: The third block of FAQs provide clarification relating to use of binding corporate rules (BCRs).
BCRs are basically a code of practice that multi-jurisdictional organisations can choose to adopt based on European data protection standards. This is as an alternative to having to use multiple bi-lateral contracts (based on the Clauses) to facilitate internal data transfers across global group companies. Businesses need to draw up their own BCRs and apply for regulatory approval from a national data protection authority to gain legal recognition. Where data is transferred from a number of EEA states, a "lead" supervisory authority (e.g. ICO in the UK) will need to be chosen to take the initial application and to co-ordinate the process with authorities in other member states.
The FAQs provide guidance on issues such as how to select the most appropriate authority to lead the application process (e.g. focussing on where a businesses' main EU HQ is located), as well as a checklist of what items to include in the BCRs themselves.
- Questions relating to Derogations: The fourth set of FAQs relate to the conditions or "derogations" in the Directive, which, if met, permit the transfer of personal data to a third country even where adequate protection does not exist.
The derogations include obtaining unambiguous consent from the data subject to the transfer of their data to that territory, or where the transfer is "necessary" to conclude or perform a contract in the interest of the data subject. The FAQs make clear this latter derogation is a "necessity" based test requiring a "close and substantial connection" between the data subject's interest and purpose of the contract (i.e. this would not justify transfer of employee data to an overseas payroll management provider or stock option scheme manager, even though there is an employee interest in these arrangements).
The FAQs do not have legal force and differences in how the Directive is interpreted in the UK (through the Data Protection Act) and other EU jurisdictions means caution should be used when looking at them without local legal advice. As a Commission sponsored document however, following these FAQs should have persuasive force with a regulator and the courts, and ultimately they should be regarded as a useful aid to practical interpretation of the rules.