As the trend towards off-shore outsourcing continues, businesses frequently need to address the complex issue of trans-border flows of data. Where the data is transferred outside the EU, the legal challenges become particularly difficult.

Overview Of Key Concepts

The Data Protection Act 1998 (the "Act") governs the processing of personal data in the UK.

"Processing" is a defined term and covers even the most basic dealing with personal data, including obtaining it, holding it on a database or calling it up on a screen. "Personal data" refers to data relating to a living individual who can be identified from that data, either in isolation or in conjunction with other information held by the data controller.

A "data controller" determines the purpose for which and the manner in which personal data are processed. This is to be contrasted with the role of "data processor" who merely processes data on behalf of the data controller. The primary responsibility for safeguarding personal data and complying with the Act falls on the data controller.

The Act seeks to implement Directive 95/46 "on the protection of individuals with regard to the processing of personal data and on the free movement of such data". From a practical perspective, the domestic legislation in each Member State implementing the directive is not entirely consistent. In addition, the individual Data Protection Authorities have adopted a range of approaches to the issue of trans-border flows of data.

Transfer Of "Personal Data" In An Outsourcing Transaction

What is the relevance of the data protection regime to an outsourcing agreement? In the context of commercial transactions generally, data controllers must ensure that they comply with the eight data protection principles set out in the Act. An outsourcing agreement is merely a specific type of commercial transaction and consideration needs to be given to satisfying these principles. Key amongst them is the first data protection principle: fair and lawful processing. In essence, this requires that the data controller provides fair processing information to the data subject and complies with a fair processing condition. The provision of fair processing information means that the data controller must inform the data subject of the identity of the data controller, the purpose of the processing and any other information necessary to satisfy the fair and lawful processing requirement. Usually fair processing information is provided at the point of data capture and frequently does not contemplate the possibility of onward transfers in the context of, for example, the outsourcing of specific functions.

Insofar as fair processing conditions are concerned, the conditions relied upon in the context of an outsourcing transaction are usually "consent" or "legitimate interest". However, consent may not be practical given the likelihood of commercial sensitivity and confidentiality concerns. Accordingly, legitimate interest is more frequently relied upon. The condition here requires that the data controller is satisfied that the processing is necessary for the purposes of its legitimate business interests except where the processing is unwarranted by reason of prejudice to the rights or freedoms or legitimate interests of the data subject. In other words, a balancing exercise is undertaken.

At What Point Does "Processing" Take Place In An Outsourcing Transaction? What Data Protection Obligations Arise?

In the context of an outsourcing transaction, data processing (i.e. transfer) is likely to take place during the due diligence and negotiation stages and also at completion. During the first of these phases, there may be a need for the company wishing to outsource (the outsource buyer) to disclose to the outsource vendor a certain amount of personal data including data relating to the directors, employees, customers and, possibly, suppliers. It may be difficult for the outsource buyer to provide fair processing information at this time given the likelihood of commercial sensitivity. One solution may be to anonymise the data. Confidentiality undertakings should also be employed, dealing particularly with the return or destruction of personal data in the event that the transaction does not proceed.

Personal data will also be transferred at completion. At this point, the obligations of the parties will be determined by the nature of the relationship (i.e. data controller vs data processor) and by the parameters of the consent obtained at the point of data capture.

Cross-Border Transfers Of Personal Data

As business is increasingly transacted on a global basis, and as off-shore (and near-shore) outsourcing continue to grow in popularity, the practical difficulties associated with cross-border data flows become apparent. There are two types of cross-border data flows to consider:

(i) Transfers to third parties ; and

(ii) Intra-group transfers.

Both types of cross-border flow may occur in the context of an outsourcing transaction. In the case of intra-group transfers, these often take place in order to prepare for or to facilitate the principal outsource, but regular intra-group transfers may also be a key feature of the project on an on-going basis.

Prior to considering any transfer abroad, a data controller must ensure that personal data is collected and processed in accordance with local laws. It is then necessary to apply a legal basis for the data transfer. Essentially this means ensuring that the country to which the data is to be exported has an "adequate" level of data protection.

(i) Transfers to Third Parties

Within the UK, the Information Commissioner permits data controllers to make their own assessments on adequacy without the need to notify. It is a more flexible process than in other EU Member States but consequently less certain. In particular, in the event that the decision to export is later called into question, there is no authorisation to which the data controller may point. This means that data controllers should carefully document their decisions to export.

Data controllers should then follow the "good practice approach" to data export. The first consideration is whether there is any presumption of adequacy in respect of the country to which data will be exported. Specifically, has there been a community finding of adequacy? (Currently Switzerland, Hungary, Canada and Argentina are the subject of community findings). In the case of a US company, have they signed up to "safe harbor"? The second stage is to consider the type of transfer: for certain types of transfers there may be a presumption of adequacy. The classic example of this is a controller to processor transfer, which is frequently the case in some of the straightforward outsourcing to India. The third stage is to apply the adequacy test itself which involves a consideration of certain general and legal criteria within the territory in question. Short comings can be addressed through the use of the model contract clauses. It should also be remembered that there are certain derogations under Schedule 4 of the Data Protection Act 1998.

The model contract clauses have been approved at EU level (and by the UK Information Commissioner). The difficulty with them is that although they are compliant from a data protection perspective, the substantive provisions are not particularly commercial. Many outsource vendors (and outsource buyers) would not wish to sign up to their terms without amendment; further, as a contract is required between each transferor and transferee there is the potential for a multiplicity of contracts to facilitate a global project such as an outsource transaction. It should also be remembered that notification may still be required in certain member states, notwithstanding the use of the model clauses.

(ii) Intra-group transfers

Whilst the model contract clauses are sometimes used in the context of intra-group transfers there is also recognition at EU level (namely by the Article 29 Data protection Working Party) that a system of internal contracts, entered into between subsidiaries within a corporate group, would provide a more practical solution to crossborder data flows. The Article 29 Working Party published a discussion paper on 3 June 2003 outlining the case for so called "binding corporate rules for international data transfers". Whilst there is a degree of enthusiasm for this solution, there is no clarity at present as to what the rules will consist of, the level of detail which will be required and the process for implementing those rules and ensuring they have binding effect.

Conclusion

As the trend towards off-shore outsourcing continues, issues of cross-border transfer of personal data will need to be considered seriously by organisations. Certainly the Data Protection Authorities across Europe are turning their attention to this issue. Whether your business is engaged in providing or buying outsourcing services, the key considerations from a data protection standpoint are set out in the short check-list below:

  • Identify the flows of data: source and destination
  • Establish respective roles: controller v processor
  • Controller must ensure own processing is compliant
  • Are controller/processor contracts required?
  • Negotiate robust representations and warranties

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.