Transferring personal data to the USA
Under the Data Protection Act 1998 data controllers should not transfer personal data outside of the European Economic Area unless the country to which the data is transferred offers an adequate level of protection (the eighth data protection principle)
Transfer or transit?
Consider first if the data is being transferred or is only in transit in the country outside the EEA. The Data Protection restrictions do not apply where data is in transit through a country, meaning where data simply passes through a country on the way to its destination. For example, if personal data is transferred from country “A” to country “B” via a server in country “C”, and nobody accesses or manipulates the information while it is in country “C”, the transfer is only to country “B”.
The effect of Schrems v Data Protection Commissioner
In assessing which countries offer ‘an adequate level of protection’, it is permitted to transfer personal data to a country which is on the list of countries approved by the European Commission for data transfers. The list included United States of America organisations who participate in the Safe Harbor program but that framework was struck down as invalid by the Court of Justice of the European Union on 6th October in the case of Schrems v Data Protection Commissioner Case C‑362/14 CJEU,
The US Department of Commerce states that it will continue to administer the Safe Harbor program, including processing submissions for self-certification . And the European Commission and the US continue to negotiate a revised Safe Harbor agreement aimed at addressing the issue of more adequate protection for personal data originating in the EU,. Meanwhile, organisations are looking for other comfort that they are transferring data lawfully.We set out some options below but caution is necessary as the ruling in Schrems v Data Protection Commissioner Case C‑362/14 CJEU is so broad that any mechanism used to transfer data from Europe could be under threat.
Otherwise assessing an adequate level of protection
Organisations will be looking to see if there is any other way to establish that there is in place ‘an adequate level of protection’. The ICO has useful guidance at https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/
Essentially if a data controller wants to transfer personal data to a country outside the EEA which is not on the Commission’s approved list, then it can do so provided that:
- It has assessed that the recipient country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. In practice this is uncommon.
- It has put in place adequate safeguards to protect the rights of the data subjects whose personal data is transferred, such as entering into a contract with the data processor in the recipient country that includes the Model Contract Clauses approved by the European Commission. This is probably the most useful long term solution. The ICO guidance contains links to the clauses.
- gets its Binding Corporate Rules approved by the Information Commissioner; This is a complicated but can be worthwhile process; or
- relies on one or more exceptions contained in Schedule 4 of the DPA. Examples of exceptions include
- where the data subject has given his consent to the transfer (but this needs to be clear and specific);
- where the transfer is necessary for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller;
- where the transfer is necessary for the conclusion, or the performance, of a contract between the data controller and a person other than the data subject which is entered into at the request of the data subject, or is in the interests of the data subject.
For more comprehensive information about Data Protection, including International Transfer of Personal Data please see our guides on Data Protection written by Catherine Richmond at Cloisters