Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

UK Registrar publishes guidance on transborder flows [1999] PLBIRp 38; (1999) 50 Privacy Laws and Business International Report 3

UK Registrar publishes guidance on transborder flows

THE UNITED KINGDOM'S Data Protection Authority advises organisations to go through a thorough examination of adequacy before transferring personal data outside the EEA. This preliminary view suggests a risk-based approach.

The question of transferring data to countries outside the European Economic Area (EEA) is addressed by principle eight of the UK Data Protection Act 1998. It prohibits data controllers from transferring personal data to these third countries, unless they ensure an adequate level of protection. The guidance by the Registrar's office, published in July, represents the Registrar's preliminary view on the issue. Comments are welcome on this legal analysis of transborder dataflows. The office will publish more simplified guidance later.

TRANSFER OR TRANSIT?

This guidance focuses on how to assess adequacy. First of all, organisations need to identify whether the data is transferred, or merely in transit. For example, data that is transferred from the UK electronically via a third country to another EU country (or Norway, Iceland and Lichtenstein) would not be caught under the Directive's transborder flow restrictions, unless substantive processing operations take place in the third country. But the transborder flow provisions do apply to data intended to be processed automatically or as part of a "relevant filing system" after it has been transferred. This category includes, for example, mass data transfers from one computer to another using telecommunications systems.

WAITING FOR DECISIONS ON ADEQUACY

The Data Protection Registrar recommends that organisations make their own evaluations on adequacy. They suggest a "good practice approach" which includes four elements:

1. Relying on the findings made by the EU

2. Looking at the type of transfer

3. Conducting an adequacy test, and

4. Relying on derogations.

Data controllers should first check whether the third country in question has been found to have "adequate protection" by the Article 31 committee set up under the Directive. While the European Commission will not be able to assess all third countries, several have been studied. The EU Data Protection Working Party has already recommended that Switzerland (PL&B July '99 p.16) and Hungary (see p. 2) should be regarded as "adequate". The ODPR will provide necessary assistance to data controllers by putting any such findings/lists of countries on her website.

TRANSFERS FALL INTO CATEGORIES

If there is no decision on the country's adequacy, the second step for data controllers is to evaluate the type of transfer involved. The Confederation of British Industry (CBI) has identified six categories of international transfer, which require different approaches for creating adequacy. The Registrar's office regards these categories to be of limited assistance, because not every transfer falls into one of the categories. However, the classification is useful in assessing the potential risks involved. The six categories are:

1. Transfers to a third party processor who remains under the control of the exporting data controller.

2. Transfers within an international or multi-national company or group of companies where an internal agreement, policy or code may be more appropriate than a potentially large number of contracts.

3. Transfers within a consortium of independent organisations set up to process international transactions in, for instance, the banking or travel sectors.

4. Transfers between providers of professional services such as lawyers or accountants whose clients' affairs are international in scope.

5. Transfers which amount to a licence for use and probably a rental payment in respect of personal data used, for instance, in direct marketing.

6. Transfers which amount to a sale of data to a third party with no continuing relationship either with the data subject or the purchaser.

Out of these six categories, the last one represents the biggest risk to data subjects, as there will be no continuing relationship.

THE ADEQUACY TEST

The third and the most demanding part of the "good practice approach" requires data controllers to consider all the circumstances of the transfer in question. The Registrar recognises that data controllers transferring data to third countries are likely to, in many cases, consider only steps 1, 2 and 4, without getting into the detailed analysis of assessing adequacy. In her guidance, she recognises this to be an alternative, pragmatic approach for companies, but warns that taking an easier route is more likely to lead to a breach of the principles.

A full assessment of adequacy looks at all aspects involved in the transfer, such as:

• the purpose of the transfer

• the nature of the data

• the period during which the data is intended to be processed

• any security measures taken in respect of the data and

• the law in force in the third country

These circumstances, known as general adequacy criteria, can and should be assessed in every case because they are within the knowledge of the exporting controller.

CONVENTION 108 SIGNATORIES LIKELY TO BE ADEQUATE

While it will be difficult for data controllers to assess in detail the level of legal protection afforded by a third country, this is expected at least when controllers are planning regular, largescale transfers of personal data to that country. The Registrar's guidance suggests, that "even in those cases where they do not conduct an exhaustive analysis, exporting controllers will be expected to be able to recognise countries where there would be real danger of prejudice because of, for example, instability in the third country at the time."

Particular attention must be paid to transfers of sensitive data, marketing data (need to provide an opt-out) and data which is subject to an automated individual decision. A useful measuring stick for legal adequacy is whether the country has ratified the Council of Europe Convention 108. It can be assumed, in cases of most transfers to these countries, that there is an adequate level of protection, provided that the country in question is the final destination of the transfer, and that it has appropriate mechanisms to ensure compliance, help individuals, and provide redress.

CONTRACTS AND CODES

If, after these steps, there is still no presumption of adequacy, organisations should consider using contracts and codes of conduct. The Registrar reminds organisations about specific restrictions in the English law to enforce contractual rights in favour of third parties. In other words, if the contract has been made between two organisations, the individual whose data is being transferred has limited rights.

Despite these legal problems, the Registrar considers that multinationals, in particular, are well suited to use contracts. She also supports the development of model contractual clauses by trade associations. However, the Registrar cannot advise data controllers on specific individual contracts.

Finally, organisations must assess adequacy by conducting a risk assessment in order to evaluate the level of risk involved in a particular transfer. Interestingly, the Registrar's guidance recognises that, in practice, security arrangements may often be the key factor in ensuring adequacy. The Registrar recommends the security management practices of BS7799, as well as encryption.

TIGHT EXEMPTIONS

The fourth and the last step in assessing adequacy includes looking at the exemptions where the eighth principle of the Act does not apply. Apart from the obvious exemptions, such as transfers to which the data subjects have consented, there are several that need interpretation. These include the use of authorisations made by or on behalf of exporting controllers.

While the Registrar supports the development of model contracts, applications for authorisations will be considered only in extremely limited circumstances where they can be regarded as the last resort.

Model contracts may be approved in cases where data controllers can demonstrate that it would be inappropriate to rely on any of the other derogations. However, model contracts present certain difficulties, such as:

1. The absence of arrangements for securing practical enforcement of UK data protection law, and the consequent lack of any practical remedy to data subjects.

2. The absence of an independent assurance of compliance, for example, an external audit requirement for the benefit of data subjects and the supervisory authority in the exporting country.

The Registrar thinks that there will only be a small number of model contracts, but these will be widely used. The CBI submitted its proposal for model contract clauses to the EU Data Protection Working Party in August. It is hoped that a variety of companies will be able to use the clauses as a model when transferring personal data to countries outside the EEA.

The full paper, which is a preliminary view of the Data Protection Registrar on transborder dataflows and assessing adequacy, can be found on her website at http://www.dataprotection.gov.uk.