Page: 1 2
11. International Transfers of Personal Data
Download this section as a print-friendly PDF document.
Under the DPA 1998, there are different legal requirements for contracts depending on which country the data will be held in. The most important distinctions are whether information will be held:
- within the EEA
- by a country on the European Commission's approved list; or
- in another non-EEA country.
The countries which constitute the EEA are the 28 members of the European Union, together with Lichtenstein, Norway and Iceland. The full list is available on Europa, the website for the Eupean Union
These countries are considered to ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This means that transfers of personal data between those countries are automatically permitted.
However it is unwise to assume that transfers of personal data to, or from, other EEA States will always be straightforward. Prior to beginning any personal data transfers to EEA States, University staff should:
- Evaluate the relevant national legal and administrative compliance criteria for personal data transfers in all countries involved
- Liaise with appropriate officers in institutions/organisations to, or from, whom data is to be transferred, to allocate responsibility for ensuring that appropriate legal and administrative formalities have been satisfied
- Document both the legal and administrative requirements, and the agreed responsibilities of the respective parties, ideally in a contractual document, with appropriate warranties and indemnities in case of breach
Template clauses to incorporate into an existing agreement and a separate standalone template agreement are available from the Governance Officer (Data Protection & Legal).
11.2.1 Some countries outside the EEA have been officially deemed by the EU Commission to have an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The EU Commission publishes a full list of approved countries, which includes Argentina, Canada, Switzerland, Guernsey and the Isle of Man.
11.2.2 Where the country has been formally assessed as providing adequate protections, the transfer is to be treated as a data transfer to an EEA country and the template clauses and agreements referred to in 11.1 above are to be used.
The DPA 1998 contains specific provisions with regard to the transfer of personal data to countries outside the EEA. The eighth data protection principle states "'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data." This is qualified by a number of conditions e.g. personal data may be transferred to a country without an adequate level of protection where the data subject has given consent to the transfer.
11.3.1 University staff should ensure that there are clear and documented procedures and administrative responsibilities for the transfer of personal data to non-EEA countries. University staff should consult this checklist when considering if a transfer of personal data is proposed.
Formerly, the US Safe Harbor Scheme gave businesses an assurance that if they transferred personal data to members in the USA, they would satisfy the legal requirement that personal data transferred outside the EU was adequately protected. However, in a recent decision by the Court of Justice of the European Union (CJEU) that assurance has now been removed. The Office of the UK Information Commissioner (ICO) has commented that:
‘The judgment did not strike down Safe Harbor itself, but focused on the Commission Decision that had given the assurance to businesses. That means there is still a measure of protection for personal data transferred under the scheme – the privacy principles that members sign up to are still positive, for instance. But the assurance that meant Safe Harbor was automatically considered to provide the adequate protection required under the 8th data protection principle is no longer there.’
Negotiators for the European Commission and the US State Department had already been attempting to formulate a new deal for months, but the ruling put them under pressure to conclude the talks. A new agreement was reached in early February which is called the EU-US Privacy Shield. Under its terms:
- The US will create an ombudsman to handle complaints from EU citizens about the Americans spying on their data
- The US Office of the Director of National Intelligence will give written commitments that Europeans' personal data will not be subject to mass surveillance
- The EU and US will conduct an annual review to check the new system is working properly
- European data privacy watchdogs will work with their US counterpart, the Federal Trade Commission, to address any flagged problems
- Companies could be prevented from making use of the deal if they are found to fail to comply with privacy safeguards
The UK ICO’s response to this proposed way forward is in this blog and includes these comments: ‘It is too early to say whether the new Shield provides adequate protection for personal data passed from the EU to the USA’. ‘…there is not any new guidance for organisations at this stage – they must wait until the process of assessing the Shield is complete and the European Commission has made a formal decision on adequacy.’
Any staff who have concerns about current agreements or are contemplating future ones should contact the Senior Governance Officer (Data Protection & Legal) in Governance Services.
The DPA 1998 provides a number of exceptions to the prohibition on the transfer of the personal data in question, details of which are given with the checklist above.
11.5.1 Use of exceptions
Any use of these exceptions must be fully documented in order to justify the basis for any transfer made to a third country, in case of a challenge made by either the Information Commissioner or in the courts.
Page: 1 2