The Ban on Personal Data Exports – Article 25 a.k.a. the Eighth Principle

Directive 95/46/EC introduced the Fortress Europe concept into data privacy. Article 25 (which is the Eighth Data Protection Principle in the UK Data Protection Act 1998) makes it unlawful to transfer personal data to countries outside the EEA which lack an “adequate” level of protection. This has caused great concern amongst the business community, not least because “adequate” is defined neither in the Directive nor in the Act.

How Do You Know if A Non-EEA Country Offers Adequate Protection?

The following questions are relevant in assessing adequacy: what kind of data are involved (sensitive or non-sensitive)? What is the purpose of the processing and for how long will it last? What are the relevant laws and codes of practice of the destination country?

The European Commission has formally recognised two non-EEA countries as having adequate data protection laws: Switzerland and Hungary. Transfers to these “white-listed” countries may be made on the same terms as if data were being transferred within the EEA. Similarly, although following considerably more wrangling, the Commission has recognised the US Safe Harbor scheme as providing adequate protection. This is a voluntary, self-certification arrangement available to US businesses and administered by the US Federal Trade Commission.

If your would-be data recipient is not based in a white-listed country and is not a Safe Harbor signatory the next consideration should be:

Is the Type of Transfer One With a Presumption of Adequacy?

These include transfers within an international or multi-national company or group where an internal agreement, policy or code applies or transfers between the providers of professional services, such as lawyers or accountants, whose clients’ dealings are international. Categorising transfers by ‘type’ gives rise to presumptions rather than being determinative of adequacy. The limited class types identified will not apply to all situations.

If no presumption of adequacy applies, the next step is:

The Adequacy Test

The Information Commissioner has published guidance1 setting out this test in detail. The Adequacy Test is a series of criteria which an exporting data controller should review as part of its risk assessment surrounding a non-EEA export of data. The Commissioner has recognised that this ‘DIY’ option, which includes a consideration of the law of the recipient country, may not prove popular with data exporters but still regards this approach as best practice. As the Adequacy Test is unlikely to provide a definitive answer to the question of whether a particular transfer complies with the Eighth Principle, it tends not to be a popular route in practice.

The final step is:

Does a Derogation Apply?

The exceptions most relevant to businesses are set out below:

  • The data subject has consented (unambiguously) to the transfer;
  • The transfer is necessary for the performance or conclusion of a contract involving, or for the benefit of, the data subject;
  • The transfer is necessary for the establishment, exercise or defence of legal claims;
  • The transfer is made on terms of a kind which are approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.
It is the last exception which has been in the spotlight in recent months. In June a set of model contract clauses for controller to controller transfers was approved by the European Commission. The Commission’s Decision is binding on all Member States’ data protection authorities.

A draft set of clauses governing controller to processor transfers has also been drawn up by the Commission. The draft clauses were approved by the Article 31 Committee in December, making it highly likely that they will be adopted by the Commission. We have developed a set of Herbert Smith precedents based on the controller to controller and controller to processor models to assist clients in implementing these contracts in as painless a manner as possible. Please contact any member of our Data Privacy Group for further details.

Checklist

  • Is the third country the subject of a Community finding of adequacy?
  • Does the type of transfer carry a presumption of adequacy?
  • If not, apply the adequacy test.
  • If in doubt as to whether there is adequacy, is there a derogation?
  • If you need advice on the model clauses, contact the Herbert Smith Data Privacy Group.
1 The Commissioner’s guidance “The Eighth Data Protection Principle and Transborder Dataflows” is available on her web site at www.dataprotection.gov.uk.

"© Herbert Smith 2002

The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.

For more information on this or other Herbert Smith publications, please email us."