Businesses increasingly operate on an international basis both internally within global group structures and externally with networks of customers and suppliers. And this is not limited only to large enterprises as small to medium size businesses are also increasingly using cloud and other technologies to collect, store, use and disclose data across borders. The combination of these factors means that personal information about individuals in the UK may often be processed overseas, frequently without the explicit knowledge or consent of those individuals. This raises issues such as the security of such data, who may have access to it and for what purposes and what rights the individual may have to object.
Europe has a long history of data protection and has traditionally been seen as having a higher standard than the rest of the world. European data protection legislation therefore builds in a standard of protection for personal data that is being transferred outside of Europe. In the UK this protection comes from the Data Protection Act 1998 (the 'Act'), primarily the last of eight Principles set by the Act, Principle 8. The principles of the Act implement the provisions of the EU's Data Protection Directive 1995 (the 'Directive') which is currently the subject of reform negotiations.
However there is an issue as to whether the legislation has been overtaken by commercial and technological advances and whether the overseas transfer requirements in fact place unreasonable and unrealistic demands on organisations that transfer data overseas. But until any changes are made, organisations must fit within the current compliance regime.
The primary legal provision in the UK is Principle 8 of the Act which states that,
"Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
However, other principles and provisions of the Act are relevant when looking at overseas transfers. For example, Principle 1 requires a 'data controller' to provide information to individuals about the processing of personal data about them. This can include notifying people that information about them will go overseas. Principle 7 requires appropriate technical and organisational security measures to be in place to protect data, including ensuring the reliability of staff and having written contracts in place with any 'data processors' (suppliers/providers acting on behalf of a data controller in processing personal information). Compliance with the Act should be considered as a whole.
Alongside compliance, organisations should consider commercial and reputational risks. Businesses are regularly being criticised for lack of security in the protection of personal data; employers transferring data to an overseas head office frequently face queries and objections from staff. Properly implementing a compliance process for overseas transfers can involve time and effort and management of customer/employee expectations and concerns, but, in view of the damage that can be done from adverse publicity whether external or internal, compliance is well worth the investment.
Is there an international transfer of personal data from the UK?
Before considering the regulatory and compliance issues in relation to international data transfers, the first question is "whether a transfer of personal data is taking place". If personal data merely transits through another country it may not be considered to be transferred there. Guidance from the Information Commissioner, the data protection regulator, suggests that a transfer involves a transmission from one place or person to another, and whilst it recognises that for electronic transfers the data may not physically move, but rather is copied, it is quite clear that a transfer comprises more than simply a routing of data through a third country on its way from the UK to another European Economic Area (EEA) country.
The Information Commissioner has stated that "if you add personal data to a website based in the EU that is accessed in a country outside the EEA, there will be a transfer of data outside the EEA." This issue was considered by the Court of Justice of the European Union when Mrs Lindqvist, an active member of her local church in Sweden, set up an internet home page as part of a computer course and chose to create a site giving information to church parishioners. The site included names, telephone numbers and references to hobbies and jobs held by Mrs Lindqvist and her fellow parishioners.
Whilst the court held that posting information on a website did constitute the processing of personal data as covered by the data protection legislation, it found that this did not constitute an overseas transfer of such personal data, where the site was hosted by an ISP located within the EEA. It reasoned that the Directive could not be construed as intending the expression "transfer of data to a third country" to cover the loading of data onto an internet page, even though this resulted in data being made accessible to persons in other countries. The Court's decision however, rested heavily on the fact that no person in a third country actually accessed any personal data made available on Mrs Lindqvist's site. Commenting on the case, the Information Commissioner has stated that "In practice, data are often loaded onto the internet with the intention that the data be accessed in a third country, and, as this will usually lead to a transfer, the principle in the Lindqvist case will not apply in such circumstances."
Accordingly, although the legal position is not completely clear, for most global organisations who do intend for their systems or websites to be accessed by anyone outside of the EEA, if they enable such access to and processing of personal data, it is likely that they are intentionally making a transfer overseas and Principle 8 will apply.
What about transfers into the UK?
This series of articles address transfers of personal data from the UK. But in a global business UK data controllers may also receive personal data from overseas. Some issues to consider in this scenario include:
- Is the UK entity only acting as a data processor on behalf of the overseas entity? If so, the overseas entity may wish to impose contractual obligations on the UK entity but, if the UK entity has no control over how and why the data are to be processed, it will not become a UK data controller with compliance obligations.
- If the UK entity does exercise control over the processing of the data, is the overseas entity complying with the laws of its own country? Are there any restrictions on transfer from that country? Whilst this may not directly affect the UK data controller, it is possible that it will not be obtaining the data fairly and lawfully under the Act if it is aware that this is in breach of overseas legislation.
- Similarly, will the UK data controller be using the data in a way compatible with the purposes for which it was originally collected? Again, it may be considered unfair under the Act to use the data for purposes not expected by the individuals.
A UK data controller should seek advice and carry out due diligence if it is importing data from overseas.
In the UK, the Information Commissioner is responsible for enforcing the Act. Generally, compliance issues come to light when an individual complains to the Information Commissioner. The Information Commissioner will carry out an investigation which may involve contacting the organisation and requiring further information. The Information Commissioner can issue an enforcement notice for non-compliance.
The Information Commissioner may also impose a monetary penalty for amounts of up to £500,000 for serious contraventions of the Act. A serious contravention is likely to be deemed to have occurred where non-compliance results in substantial damage or substantial distress. The Information Commissioner will take into account whether a contravention was deliberate and whether the data controller knew or ought to have known that there was a risk of contravention and failed to take reasonable steps to prevent it, before taking a decision to impose a monetary penalty.
It is important for any organisation to keep abreast of compliance issues, guidance from the Information Commissioner and best practice and to bear in mind that even without formal enforcement action, protecting reputation can be equally as important.