Cross-border data transfer - delusions of adequacy?
India's recent demand for European Union designation as a data secure country (see our blog) has brought the issue into the spotlight. Here we take a closer look at those nations which have achieved EU recognition and the benefits of doing so.
Article 25.1 of the Data Protection Directive (in the UK enacted through the eighth principle of the Data Protection Act, 1998) prohibits the transfer of personal data to a third county (i.e. a country or territory outside the EEA) unless that third country provides an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Several exceptions to this rule are available including, in particular, the use of the approved EC model clauses.
Data transfers to third countries can take place in many circumstances, such as where an EU- based business relocates functions to subsidiaries outside the EEA, establishes an offshore shared service centre which processes, for example, HR or payroll data, where data is transferred for offshore processing as part of an outsourcing agreement with a third party supplier or as part of a hosting or cloud computing deal. The onus is on the data controller to ensure that he complies with the eighth data protection principle in relation to any cross-border data transfer of personal data.
The European Commission has designated a small number of third countries as providing adequate protection. The European Commission publishes a list of its decisions on the adequacy of personal data in third countries together with copies of the Commission Decision and Article 29 Working Party Opinion on which the decision is based.
The European Commission has so far recognised the following countries: Andorra (2010), Argentina (2003), Canada (2002), Faroe Islands (2010), Guernsey (2003), Isle of Man (2004), Israel (2011), Jersey (2008) and Switzerland (2000); the primary data protection laws considered by the Working Party to provide adequate protection being:
- the Qualified Law on the Protection of Personal Data, 2003 (Andorra);
- the Argentinean Constitution, Personal Data Protection Act No.25.326 and Regulation approved by Decree No. 1558/2001 (Argentina);
- the Personal Information and Electronic Documents Act, 2000 (Canada);
- the Data Protection Act, 2001 (Faroe Islands);
- the Data Protection (Bailiwick of Guernsey) Law, 2001 (Guernsey);
- the Data Protection Act, 2002 (Isle of Man);
- the Privacy Protection Act, 1981 (Israel);
- the Data Protection (Jersey) Law, 2001 (Jersey); and
- the Law on Data Protection, 1992, as amended by Swiss Federal Council ruling of 1993 (Switzerland).
The US has not been deemed as providing adequate protection, however personal data sent under the Safe Harbor scheme signed between the EC and the US government in 2000 is considered to be adequately protected. Not all US companies can qualify for the safe harbor programme, e.g. companies in financial services, transport and telecommunications. There are also several international agreements to which the EU is a party which permit and require the transfer of passenger names records of all airline passengers (e.g. Canada in 2005, US in 2007 and Australia in 2008).
The benefit of recognition is that personal data can flow from the 27 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to a recognised third country without any further safeguard being necessary. The recognition process can however give rise to pressure brought to bear on the third country to undertake some remedial action. For example, whilst making a finding of adequate protection in the case of Argentina, the Working Party urged "the Argentinean Authorities to ensure the effective enforcement of the legislation at a provincial level by means of the creation of the necessary independent control authorities."
What is not entirely clear is whether the Working Party monitors how its recommendations are dealt with, if at all, once a third party has obtained a decision of adequacy and whether it monitors and reviews amendments to existing data protection regulations and the introduction of new data protection regulations, with a view to reaffirming (or otherwise) an adequacy finding.
As data protection and security is increasingly high up on the corporate agenda, recognition itself may add a degree of comfort to the enterprise sending data to that third country (recognising however that adequacy is not the same as equivalent). As reported by Economic Times of India, the India government believes that "recognition as a data secure country is vital....to ensure meaningful access in cross border supply." Underlying this seems to be the fear articulated by Ameet Nivsarkar, vice-president of Nasscom, that "European companies start insisting on a data secure status as a critical factor for giving business." As the European Commission recently announced its comprehensive reform of EU data protection rules, perhaps we will see an uptick in third countries looking to achieve an adequacy designation.