ARTICLES


Data Transfers

by Robert Haniver

Transfers of Personal Data Abroad

Irish Data Controllers ('Controllers') transferring personal data outside the European Economic Area (EEA) must establish whether the 'third country' destination has adequate safeguards to protect the privacy and fundamental rights and freedoms of the individual to whom the personal data relates (the 'data subject'). It is unlawful to transfer personal data to a third country without complying with the conditions specified in section 11 of the Data Protection Acts 1988 and 2003 ('the Acts').

Commission Adequacy Findings

Before transferring personal data to a third country, Controllers should establish whether the destination is on the European Commission's 'approved list'.

Certain non-EEA countries (Switzerland, Canada, Argentina, Guernsey, the Isle of Man, Faroe Islands and Jersey) are approved by the European Commission as having an adequate standard of data protection. Furthermore, the US 'Safe Harbor' Privacy Principles (issued by the US Department of Commerce) are approved by the European Commission for the transfer of personal data to US companies who have subscribed to the arrangement.

Member States may also assess the adequacy of data protection safeguards in third countries. The Data Protection Commissioner (the 'Commissioner') can prohibit transfers to any third country where he considers the destination as unable to adequately protect the data subject's privacy and rights and where he considers it likely the transfer will cause damage or distress to any person. Controllers should therefore check with the Commissioner before transferring data to 'unapproved' third countries.

What if the third country is not 'approved'?

If the third country is not on the European Commission's 'approved list', the Controller should consider putting in place safeguards, such as requiring the non-EU/EEA data importer to enter a contract incorporating certain approved provisions or making other formal arrangements to ensure an adequate level of data protection.

The European Commission has prepared three sets of Standard Contractual Clauses ('Model Contracts') that can be used to facilitate the transfer of data. The Model Contracts contain provisions which require the third country organisation to adhere to data protection rules and comply with the Controller's instructions and security measures. The Model Contracts are approved by the Commissioner so their use would automatically allow a transfer to proceed without having to deposit a copy of the contract with the Commissioner.

In addition to the EU-approved Model Contracts, the Commissioner can endorse model contracts that are specific to Irish circumstances and can approve particular contracts or arrangements that provide adequate safeguards. A Controller cannot rely on its own company-specific 'model contract' unless it has received the Commissioner's prior approval.

The Model Contracts only concern data protection so the Controller and data importer can include other clauses on relevant business related issues provided they do not contradict the standard data protection clauses.

When all else fails

If personal data is to be transferred to an unapproved third country and for whatever reason it is not practical or feasible for the Controller to safeguard the data by incorporating standard contractual provisions, the Controller may rely on specific exceptional circumstances listed at section 11(4)(a) (i) – (viii) of the Acts to permit the transfer. However, it is preferable that standard contractual clauses or other solutions are adopted before relying on theses statutory derogations.

Model Contracts

The European Commission Model Contracts allow personal data to be transferred to a third country that is not considered to have an adequate level of data protection. The three sets of Model Contracts are briefly described below and are available as blank templates on the European Commission's website.

Controller to Controller

Sets I and II of the Model Contracts facilitate the transfer of personal data from a data controller in the EEA to another data controller outside the EEA. There are technical differences between both sets, however they provide a similar level of data protection standards and principles. It is up to the Controller to decide which set suits its requirements best.

Controller to Processor

Set III provides standard contractual clauses to facilitate the transfer of personal data to data processors established outside the EEA.

The standard 'Controller to Processor' agreement (approved by Commission Decision 2002/16/EC) was recently updated by Commission Decision on 5 February 2010. This modifies the current standard contractual clauses in light of the expansion of data processing activities and new business models of companies engaged in global processing activities.

The new 'Controller to Processor' model contract includes provisions allowing the outsourcing by the non-EEA data processor of its data processing functions to non-EEA sub-processors ('subcontractors'), provided the transferred personal data continues to be protected notwithstanding the subsequent transfer.

If data processors in non-EEA countries intend to use sub-contractors to process personal data on behalf of the Controller, they must first obtain the Controller's prior written consent. Furthermore, the data processor and sub-contractor must have a written agreement which includes the same obligations as those imposed on the data processor under the standard contractual clauses. This requirement may be satisfied by the sub-contractor co-signing the contract entered into between the Controller and the data processor.

The recently adopted Commission Decision also provides that the new standard contractual clauses are enforceable by data subjects who suffer damage as a result of a breach of the data transfer agreement.

'Controller to processor' data transfer agreements entered into from 15th May 2010 must comply with the new format.

Multinational organisations

Multinational companies may adopt approved 'binding corporate rules' for international data transfers where the transfer occurs between companies belonging to the same multinational. These are legally enforceable codes of practice for data protection which must be pre-approved by the Data Protection Authority where the multinational has its headquarters or its main centre of activity in the EU.

For further information please contact our Corporate Law Department on (01) 240 1218 or lex@orourkereid.com.

NEWS & PUBLICATIONS

  • NEWS & PUBLICATIONS
    View our recent news Read more

NEWS ARCHIVE

  • Click here to view our News Archive Read more