Transferring personal data from the EU to anywhere outside the EEA is only allowed if high quality protection is ensured.
Article 25(1) of the EU Data Protection Directive (Directive) says that this level of protection is one that is adequate in all circumstances.
Article 26 of the Data Protection Directive explains alternate ways data can be transferred to countries which do not provide the level of protection needed. Transfers can still be permitted if:
- They evidence that they can put in place appropriate safe guarding measures. This must be done using the Binding Corporate Rules which are approved by the National Data Protection Authority.
- They must rely on one of the derogations which is expressed in Article 26(1) (a) to (f) of the Directive. This can include transfers which are necessary for the performance of a contract between the data subject and controller.
- They can transfer data for standard contractual clauses.
The European Commission has made many observations and has found that many countries do not provide the adequate protection which is required. These are as follows:
- Contractual Solutions – If a national authority has concerns regarding Safe Harbor, they must bring this to the attention for a judicial review. If the exporter receives information regarding changes to legislation etc. from the importer, they may have to place additional levels of protection, or even stop transferring to that country as a whole.
- Intra-group Transfers – These transfers must be authorised by the National Data Protection Authority in each country.
- Derogations – The Working Party believes repeated or structural data transfers are not ideal and shouldn’t be carried out for derogation, unless they have very high quality safeguards and work within a specific legal framework.
To conclude, although there are issues regarding the transferring of personal data to those out of the EEA, there are measures in place. If they're followed, this will be sufficient, the data can be used effectively and still be highly protected. This also depends on the willingness of the National Data Protection Authorities and how they take and enforce actions.