Opt-4’s Rosemary Smith discusses the right ways to export data legally from Europe
The European Data Protection directive upon which current local laws are based (Directive 95/46/EC adopted in 1995) introduced the requirement to ensure that transfers of personal data outside the European Economic Area (EU countries plus Norway, Liechtenstein and Iceland) must only be made if data protection in the receiving country was “adequate” to ensure the rights and freedoms of the individuals whose data was being transferred.
The European Commission is able to designate certain countries as “adequate”. In addition US companies who have signed up to the “Safe Harbor”* scheme are also designated as adequate. Data transfers to these countries and companies are unlikely to be problematic – as long as suitable terms and conditions are applied.
*The Safe Harbor agreement was ruled invalid by the Court of Justice of the European Union (CJEU) in October 2015. The proposed replacement is the EU-US Privacy Shield, but as of May 2016 this agreement has not yet been finalised.
If you are transferring to countries without adequacy and you do not have specific consent for the transfer, there are two other ways of ensuring that the transfer is legal.
For international transfers within company one solution is the adoption of Binding Corporate Rules (BCRs), however, the process of creating these rules and getting them approved is lengthy. The General Electric Company became the first company to gain authorisation from the UK’s Information Commissioner for BCRs but waited nearly two years for their adequacy decision.
The most practical route then is the adoption of a contract between the exporting and importing companies. These contracts have to meet the standards that have been laid down by the European Commission and standard contractual clauses for adequate transfers (the model clauses) have been agreed by the Commission. The Commission’s agreement means that transfers made under contracts containing these clauses can be said to offer full protection for personal data that is transferred.
The broad purpose of the clauses is to ensure that when Personal Data is transferred the protections available in the originating country are maintained: The Exporter and Importer share the requirement to exercise due diligence over the origin and processing of the data; the Importer must warrant that local laws will not prevent him from abiding by the agreement with the exporter and the circumstances in which termination of the contract may take place are fully explored; the clauses allow for one contract to cover multiple transfers. The clauses cannot be altered in any way.
The adoption of these model clauses should ensure that marketers are able to share data with companies in other geographies with greater confidence.
Published June 2015
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.