A new regime for international data transfers

Posted on 08 February 2016. Source: Outsource Magazine

A new regime for international data transfers

The basis upon which European businesses are able to send personal data outside of Europe – and, especially, to the United States – has recently been the subject of intense scrutiny and negotiation between the EU Justice Commissioner and the US Department of Commerce. The outcome seems to be that EU businesses are allowed to send data to the US, but it’s useful to understand the background and what has been agreed.

Two very different things set the backdrop to last week’s EU/US agreement.

First, the EU’s 1995 privacy directive, which sets out the current law applying to businesses operating in the EU – and which is the law from which the UK’s Data Protection Act is derived – makes clear that data cannot be transferred outside of Europe unless:

(i) the EU has agreed that a country provides an adequate level of security for data (and the US has not met that standard);

(ii) the ‘data exporter’ (the EU business) and ‘data importer’ (the US business) have signed a ‘model clauses’ contract, which puts EU-approved terms in place between those parties;

(iii) it’s a transfer of data within a multinational that has put in place an approved set of ‘binding corporate rules’;

(iv) the data subject has consented to the transfer, or;

(v) the EU has approved some other scheme.

One such other scheme approved by the EU was the so-called ‘Safe Harbor’ programme set up by the US’ department of commerce – it provided for a programme under which US companies would confirm that they complied with the ‘Safe Harbor’ rules, which were intended to give EU businesses a sufficient level of comfort that the US data importer would protect any personal data that would be sent to it. Lawyers would worry whether the Safe Harbor scheme was actually good enough, and there was often technical debate around whether US security and law enforcement agencies could access the data, especially under the Patriot Act. But we all got on with sending data to the US, because, if we didn’t, business would come to a halt – after all, almost all major providers of technology solutions end up with at least some part of their service being based in the States.

Click here to read the full article.