Please note: This is one of a series of guides about overseas transfers of personal data. If you're new to that subject, read the introduction to overseas transfers first.
If you have established that there is a transfer of personal data from the UK, the next step is to look at the grounds for making the transfer.
The grounds on which a transfer may be made to be compliant with Principle 8 can be viewed in three groups: the regimes established by the regulators; the statutory exemptions to the Principle 8 prohibition; and the data controller's own finding of adequacy. Each of these groups is considered in more detail below.
The European Commission undertakes a process of investigating the data protection legislation and regimes of certain countries outside the EEA. Its conclusions as to whether countries outside the EEA ensure an adequate level of protection are published on the Europa website. These include Switzerland, Canada, Argentina, the Isle of Man and Guernsey. The UK Information Commissioner has adopted these findings of adequacy for the purposes of the UK Data Protection Act 1998 (the "Act") as well. Therefore a transfer to one of these countries is acceptable under Principle 8 of the Act, although compliance with the other principles must still be considered.
For example, a UK financial services company has offshore operations in the Isle of Man, Guernsey, the Cayman Islands and the Bahamas. Subject to compliance with the rest of the Act, it can make intra-group transfers of customer and employee personal data to its operations in the Isle of Man and Guernsey under Principle 8 as these countries are deemed to have an adequate level of protection. However, for the Cayman Islands and the Bahamas it must find another compliance route. Adequacy findings therefore only provide a limited solution.
Although the European Commission does not consider the national data protection legislation of the USA to be adequate, it has reached a deal that will allow a finding of adequacy if organisations in the USA sign up to a self-regulatory scheme known as Safe Harbor (see our OUT-LAW guide, The US Safe Harbor scheme). The Information Commissioner has adopted this finding of adequacy for the purposes of the UK Data Protection Act 1998 as well. This may be an option for companies transferring to a US head office or using a US supplier that has signed up to the Safe Harbor principles (although take up in the US has been slow).
A transfer of data from a data controller in the EEA to a data controller in a third country is permitted if that transfer is made in accordance with standard contractual clauses which the European Commission has decided offer sufficient safeguards (see our OUT-LAW guide EU model contractual clauses). The Information Commissioner has approved use of the model contractual clauses for the purposes of achieving adequacy under Principle 8 of the Act. This is often the route used in outsourcing offshore deals.
A company code of practice, or set of binding corporate rules, may be accepted by EU regulators as an adequate basis for transfer but the concept is at a relatively early stage of development and can be time consuming to implement across a global organisation. (See our OUT-LAW guide The effect of binding corporate rules on overseas transfers of personal data.)
Schedule 4 of the Act sets out a number of cases where Principle 8 will not apply to an overseas transfer of data, many of which act as simple exemptions from the adequacy requirements of Principle 8. The Information Commissioner does not generally promote reliance upon these exemptions, especially for long-term or frequent transfers by commercial entities, and interprets them in a very narrow way. The exemptions are therefore unlikely to be appropriate for most commercial transfers, but the two that are most likely to be considered are consent and transfers necessary for the conclusion of a contract with the data subject.
It is always open to a UK data controller to get the consent of individuals to an overseas transfer. Consent ensures Principle 8 compliance. However, before following this route an organisation should consider carefully whether it is the most appropriate option. What would happen if an individual did not consent or subsequently withdraws their consent? Consent must be unambiguous, freely given, specific and informed. There is an argument that employees cannot give valid consent as they may feel that they have no other option. For business critical transfers consent is not really an option and organisations will need to rely on one of the other options, bearing in mind that there may still be a need to tell people about the transfer, even if their consent is not obtained.
In some cases, the nature of the relationship between the data controller and the individual may imply that a transfer of data is necessary for contract fulfilment. For example, if an individual books a holiday in Malaysia through a UK travel agency, it is implicit in that relationship that the travel agent may need to transfer information about the individual to the Malaysian airlines, hotels, tour operators etc. However, "necessary" should be something more than just convenient or cost efficient. This option is unlikely to apply where an employer wants to transfer employee data to an overseas head office as this is not going to be strictly necessary for fulfillment of the employment contract.
The Information Commissioner has made clear to UK businesses that it is open to the data controller to make its own finding of adequacy in relation to a particular transfer, and has provided detailed guidance on how adequacy may be assessed.
The Information Commissioner has defined two tests for assessing adequacy: an assessment of the adequacy of the legal regime in place in the country to which the data will be transferred; and an assessment of the general adequacy of the transfer bearing in mind the nature of the data being transferred. In particular, the Information Commissioner has recommended that such an assessment of adequacy should include an examination of a number of stated criteria applicable to the transfer as follows:
1. The nature of the personal data
Certain personal data are so widely available to the public that their transfer to a third country is of little consequence to the rights of the data subject, for example the statistics of sports stars or media personalities. Conversely, however, the transfer of previously unknown or sensitive personal data may have a considerable impact on the rights of the data subject, especially if that third country lacks the relevant regulatory protection for such data.
2. The country or territory of origin of the information contained in the data
If the data have been obtained in a third country originally, the data subject may have different expectations as to the level of protection that will be afforded to the data than if the data had been obtained in the EEA.
3. The country of final destination of that information
If it is known that there will be a further transfer of the data to another country, the data protection regime of that country must also be considered.
4. The purposes for which the data are intended to be processed
Some purposes may pose a higher risk than others, for example wide use of data for marketing contact.
5. The period during which the data are intended to be processed
The longer the period of processing, the more likely it is that any deficiencies in the data protection regime of that country will be exposed.
6. Any security measures taken in respect of the data in the third country
It may be possible to ensure security of the data by means of technical measures, for example encryption or the adoption of security management practices similar to those set out in ISO 17799.
More detail on the adequacy tests set out in the Information Commissioner's Guidance on overseas transfers.
The Commissioner also suggests that this might be the option used for data controller to data processor transfers. For example, if a UK company decides to outsource a back office function to China, the processing remains subject to the Act and the UK data controller remains responsible for protecting the data.
The seventh data protection principle requires there to be a written contract between the data controller and data processor which ensures the security of the data. Given that there is already a requirement to have a written contract in place, the Commissioner's guidance suggests that if due diligence on the data processor in light of the above criteria does not reveal any particular risks then the processor contract may be sufficient to comply with Principle 8. Nevertheless, many organisations prefer to use the model clauses as evidence of compliance.
See also: Overseas transfers of personal data (index to this series of guides)