The requirements
The eighth principle of the Data Protection Act 1998 prohibits the transfer of personal information to countries or territories outside the European Economic Area (which consists of the 25 EU member states, Iceland, Liechtenstein and Norway). A transfer can only be made where there is adequate protection for the rights and freedoms of individuals in relation to the processing of information about them. This is intended to ensure that data protection rules cannot be circumvented by transferring personal information to a place where it will enjoy no legal protection and where individuals will have no rights in respect of it. Transfers can still take place to countries which do not have equivalent data protection legislation where adequacy is ensured by other means in the particular circumstances of the transfer.
ICO guidance
The Information Commissioner has issued the following general advice to aid compliance with the eighth principle:
A detailed legal analysis of the eighth principle and a suggested good practice approach to assessing adequacy prior to transferring personal data outside the EEA: International transfers legal guidance.
General compliance advice for companies transferring personal data overseas: International transfers of personal data.
The use of the model contracts for transfer to other organisations and to data processors processing personal information on their behalf.
Controller to controller
Controller to processor
We also have a good practice note on outsourcing for small to medium businesses.
Adequacy decisions
The eighth principle will not be breached where the transfer is to a country or territory that the European Commission has deemed 'adequate'. An up-to-date list of 'adequate' places can be found on the europa website. At the time of writing the following countries have been deemed adequate: Argentina, Canada, Guernsey, Isle of Man, Jersey and Switzerland.
Safe Harbor - transfers to the USA
Personal information can also be transferred to companies in the US that have signed up to the 'Safe Harbor' agreement. These companies have agreed to abide by a set of rules similar to those found in our own data protection law. Information about this can be found on the europa website. A full list of companies that have signed up for the 'Safe Harbor' and details of how to sign up can be found on the US Department of Commerce website.
Contracts
Contract terms can also be used to legitimise a transfer of personal information outside the EEA. The European Commission has devised a set of model contracts and has made a decision of adequacy for those times where they are used. The contracts and the adequacy finding can be found on the europa website.
The Information Commissioner has authorised the use of model contracts for transfers from controller to controller and controller to processor. The Information Commissioner has also authorised the use of revised contractual clauses adopted in December 2004 for transfers from controller to controller.
Links to the model contract clauses:
2004 controller to controller
2001 controller to controller
2001 controller to processor
Binding corporate rules
It is possible for multinational organisations to transfer personal data outside of the EEA but within their group of companies in a manner which ensures adequacy. This adequacy can be achieved by the adoption of binding codes of corporate conduct by the organisation known as binding corporate rules (BCR).
The use of BCR to ensure adequacy will require an approval from the data protection authorities in the countries in which the group is processing personal data. The Article 29
working party has adopted several documents to help with this process. The most recent documents, adopted in June 2008, are as follows.
-
Table of BCR requirements
(
WP153) which sets out the elements that must be in any set of BCR. This does not create any new requirements and is a summary of WP74 and WP108.
-
Framework BCR
(WP154) which is a suggestion of what a BCR might look like containing all of the necessary elements of WP74 and WP108.
-
Article 29 BCR
FAQs
(WP155) which are based on the experience to date of working with BCR applications.
The other Art 29 documents are as follows.
-
Applying BCR for international transfers
(WP74) which explain how BCR can be used to provide an adequate level of protection for personal data.
-
Co-operation procedure (WP107) which explains how to submit a code for approval by the data protection authorities and how they will cooperate to come to a common opinion on the code.
-
Model checklist (WP108) which describes the required contents of an application to a data protection authority for approval of a set of binding corporate rules.
-
Standard application form (WP133) which we strongly advise you to use. This is based on the checklist in WP108.
All data protection authorities will work with these documents, and WP153 in particular, when asessing BCR applications.
Companies wishing to submit BCR for authorisation by the Information Commissioner should use the standard application form (WP133) and ensure all the elements specified in WP153 are contained in their rules. If you have any enquiries about BCR please refer to the Information Commissioner’s FAQ on BCR.
Please note that the Information Commissioner is subject to the Freedom of Information Act and you should mark any commercially sensitive documents as such.
Authorisations for transfers of personal data outside of the EEA
15 December 2005: The General Electric Company is authorised for transfers of employee data on the basis of binding corporate rules.
2 April 2007: Philips is authorised for transfers of employee data on the basis of binding corporate rules.