Data export - the current position

EU-based data controllers are prohibited from transferring personal data outside of the European Economic Area (EEA) to associated companies or third parties (such as outsourced service providers) unless the non-EEA country adequately protects personal data and the rights of data subjects. In the UK this restriction is known as the 8th data protection principle.

There are now nine countries that are 'white-listed' (they've been assessed and are considered to offer adequate protection) by the EU for data export purposes.

  • Andorra
  • Argentina
  • Canada
  • Faroe Islands
  • Guernsey
  • Isle of Man
  • Israel
  • Jersey
  • Switzerland

There are a number of ways in which businesses can comply with the 8th principle. The UK Information Commissioner's Office (ICO) takes a pragmatic approach and expressly states that it is possible for UK-based data controllers to self-assess whether personal data is adequately protected.

In reality most businesses take a more cautious approach and adopt the more formal routes to compliance which include:

  • Use of the EU approved model contract terms with the data importer.
  • Use of binding corporate rules for intra-group transfers (only so far used by about 40 companies).
  • Only exporting to a US business if it is 'Safe Harbor' accredited.
  • The allowed derogations (e.g. data subject consent) are also used occasionally.

The ICO calls for a 'radical rethink' of this area of law. It favours an approach which allows data controllers to make their own risk assessment in the knowledge that if a data breach occurs, they will be liable. This view is echoed by other bodies such as the Cloud Industry Forum which considers the continuation of the data export rules as unnecessary.

The proposed position under the regulations

The radical rethink suggested by the ICO is not favoured by the EU Commission. Restrictions on data exports remain and the proposed changes introduce significant increases to export regulation. Some of the key changes include:

  • The self-assessment option is removed - it won't be possible for data controllers or data processors to reach their own conclusions on the adequacy of protection. An adequacy decision must already have been made by the Commission in relation to the country or organisation.
  • Data export laws will apply to data controllers and data processors.Data processors will be directly regulated and not just bound by contractual obligations to data controllers. They will be exposed to enforcement and regulatory sanctions.
  • Binding corporate rules for intra-group transfers are formally enshrined in regulations law. The requirements for the rules are also set out in the regulations.
  • Intentional or negligent breach of the data export requirements will incur a maximum level of fine - up to €1 million or 2% of annual global turnover.

It is questionable whether an increase in regulation of data exports (or indeed the continuation of the export rules at all) is practical, necessary or in the interests of EU businesses and data subjects.