Feeds

EC publishes Q&A on overseas data transfer

Where your personal bumf can go on its hols

Boost IT visibility and business value

The European Commission has prepared a set of questions and answers as well as a flowchart to help companies understand when they can and when they cannot send personal data abroad.

The European Union's Data Protection Directive protects the personal data of EU citizens from abuse and misuse. Organisations have a duty to protect it, and that means ensuring that it is not sent to countries with poor data protection.

The Directive says that data can be sent to another country "only if... the third country in question ensures an adequate level of protection".

Only a handful of countries have been deemed acceptable destinations for data by the European Commission. Those are Switzerland, Canada, Argentina, the Bailiwick of Guernsey, the Isle of Man, the Bailiwick of Jersey and the US, when the data's treatment is in the Safe Harbor Privacy Principles of the US Department of Commerce

The advice has been prepared by the Data Protection Unit of the Directorate-General for Justice, Freedom and Security at the European Commission. It is designed particularly to help small and medium sized companies to understand the law when it comes to transferring personal data outside of the European Economic Area (EEA).

The guidance points out that in order for a transfer to be legal, data has to be properly handled in the first place according to the data protection laws of the country where the processing organisation is established.

If the transfer is to a country not listed as having adequate data protections in place, a transfer can still take place, the guidance says, but only if "the data controller offers 'adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights'," says the guidance, quoting the Directive.

"These safeguards may result from appropriate contractual clauses, and more particularly from standard contractual clauses issued by the Commission," it said. "In the case of multinationals, the adoption of binding corporate rules could be an appropriate solution."

Binding corporate rules can be put in place by corporations which want to operate in a number of countries. They submit their data protection processes for analysis by a data protection authority, such as the UK's Information Commissioner's Office (ICO). That office then gains the approval for the processes from the data protection authority in every EU country in which the organisation wants to operate.

Once that approval has been won the organisation is free to move data from these countries to any country in the world, as long as the data stays within the corporate structure of that organisation. Very few companies follow this approach. The ICO lists only two: Philips and General Electric.

For international transfers outside of an organisation, companies will have to use contractual safeguards for the data, unless it has the consent of all data subjects to the transfer.

"The Commission has the power to decide that certain standard contractual clauses offer sufficient safeguards as required by Article [the Directive], that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights," says the guidance.

"The effect of such a decision is that by incorporating the standard contractual clauses into a contract, personal data can flow from a data controller established in any of the [EEA countries] to a data controller established in a country not ensuring an adequate level of data protection. Except in very specific circumstances, national data protection authorities cannot block such transfer."

See: The guidelines (pdf)

Copyright © 2009, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Build a business case: developing custom apps

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Twitch rich as Google flicks $1bn hitch switch, claims snitch
Gameplay streaming biz and search king refuse to deny fresh gobble rumors
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.