Proposed new data transfer rules not fit for 'interconnected world', says UK government

Out-Law News | 04 Mar 2014 | 2:24 pm | 4 min. read

The UK government has criticised proposed new rules for governing transfers of personal data outside of the EU.

Home secretary Theresa May said that the proposals were "inflexible" and "do not reflect the realities of the modern, interconnected world".

May was briefing the UK parliament ahead of today's meeting in Brussels of justice ministers from across the EU. On the agenda at the meeting are discussions on how to progress towards reforms to the EU's data protection framework.

May said, though, that the draft General Data Protection Regulation as currently worded should not be introduced into law.

"The UK continues to believe that [the draft General Data Protection Regulation] is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved," May told MPs. "The proposal remains burdensome on both public and private sector organisations and the government would not want to see inflexible rules on transfers outside the European economic area which do not reflect the realities of the modern, interconnected world."

Existing EU data protection laws only allow personal data to be transferred to third countries outside of the European Economic Area (EEA) where adequate data protection is in place. The proposed reforms, outlined in an EU draft General Data Protection Regulation, would keep this general principle in place.

Plans backed by the Greek Presidency of the EU's Council of Ministers contain a number of rules to follow or mechanisms to use which would allow organisations to comply with the new framework when transferring personal data outside of the EEA. The proposals build on existing mechanisms that can be relied upon by organisations for transferring personal data outside of the trading bloc lawfully.

Currently, the European Commission has designated a select list of countries as providing adequate data protection, meaning transfers of data to those countries can be made more freely than to others. A similar framework is envisaged under the new Regulation.

In other cases, businesses must generally either agree binding corporate rules (BCRs) with regulators that set out how the data being transferred will be handled, or otherwise use model contract terms with processors in third countries to meet their obligations on achieving adequate data protection. The ability to use BCRs and model contract clauses for governing data transfers is also foreseen under the reforms.

In addition, for EU-US data transfers, a Safe Harbour framework currently helps facilitate transfers of personal data to US companies that adhere to a range of privacy principles.

Alternatively, some EU member states, including the UK, allow businesses to rely on their own assessment of adequacy so as to go ahead with data transfers to third countries.

The European Commission's original draft new General Data Protection Regulation proposed introducing a right to self-assess adequacy across the whole of the EU, albeit this would be a more limited right than is currently enjoyed in the UK. The Greek Presidency's proposals (39-page / 414KB PDF), to be debated by the Justice Ministers in Brussels today, suggest a slight change to the original draft.

Under its plans, where a the third country has not been designated as providing adequate data protection, or where none of the "appropriate safeguards" listed, or binding corporate rules, have been put in place, data transfers to third countries could take place where the transfer of data is neither "large scale or frequent".

Such transfers would have to be "necessary for the purposes of legitimate interests pursued by the controller or the processor". However, where those legitimate interests are "overridden by the interests or rights and freedoms of the data subject" the transfers would not be permitted.

If those criteria are satisfied, the transfers would be allowed to proceed providing the business transferring the data "has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and, where necessary, based on this assessment adduced suitable safeguards with respect to the protection of personal data". The self-assessment right would not extend to public bodies, according to the plans.

The Greek Presidency's proposals do give support for a number of other circumstances in which personal data could be transferred outside of the main mechanisms listed, including where individuals have consented to the activity or where it is necessary for the performance or conclusion of a contract between businesses and individuals.

One rule allows data transfers to take place where the transfer is "necessary for reasons of public interest". The Greek Presidency has, however, proposed an amendment which seeks to provide the EU or individual member countries power to ban individual data transfer arrangements in certain circumstances.

"Union law or Member State law may, for important reasons of public interest, expressly prohibit the controller or processor to transfer personal data to a third country or an international organisation," the Greek Presidency said in a recent document.

Under other plans outlined by the Presidency, the processing of personal data for "direct marketing purposes" would be considered to be carried out in accordance with businesses' legitimate interest. This would enable those companies to process the data without individuals' consent, in certain circumstances.

The Presidency has also backed draft provisions which would allow businesses to comply with rules regarding the privacy of their design of new products and services and rules around the security of processing by making use of only pseudonymised data only.

It has defined pseudonymisation as "the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution".

"An example of pseudonymisation would be the case where medical data from patients suffering from cancer go through a process of removal of directly identifying elements such as their names, and attributing randomly serial numbers to each patient, so that this resulting information could be used for medical research or public health purposes," it said.

The Council of Ministers, together with the European Parliament, will negotiate between them the final wording of the proposed General Data Protection Regulation that is envisaged to replace the existing Data Protection Directive from 1995. The Ministers have yet to reach a consensus among themselves on proposed amendments to the European Commission's original draft Regulation. MEPs agreed on a common position in October last year.