The European Commission has published a series of flowcharts and FAQ’s (the Guidelines) on the transfer of personal data outside the European Economic Area (EEA) in accordance with the Data Protection Directive (95/46/EC).
GUIDELINES’ ROUND-UP OF THE EU PERSONAL DATA TRANSFER REGIME
The Guidelines show that transfer of personal information from within the EEA to a country outside the EEA will only be acceptable if
- The country is a “recognised third country”, i.e., the Commission recognises that the country has adequate data protection laws.
- The company to which the data are being transferred is a U.S. company that is a member of Safe Harbor. Safe Harbor is a scheme set up by the US Federal Trade Commission and the European Commission whereby member companies promise to observe data protection principles broadly equivalent to those in the Directive.
- A permitted method is used by the EEA-based entity transferring the data. These include using appropriate contractual clauses, whereby the companies transferring and receiving the data undertake to ensure that the Directive is not infringed.
- A permitted derogation applies. This includes, for example, where the individual gives his clear, free and specific consent.
COMPLEXITIES NOT ADDRESSED BY THE GUIDELINES
The Guidelines are not a complete account of the legislative regime and companies should consider the following points:
- The Guidelines state on the front page that “they do not have any legal value and do not necessarily represent the position that the Commission may adopt in a particular case”.
- The Guidelines do not address the problem of “what personal data consists of”.
- The Guidelines do not resolve the problem inherent in all directives: there is no harmonised method to incorporate directives into Member States’ legislation. Accordingly, implementation will differ between Member States. Spain, for example, requires companies to notify their use of Model Contract Clauses, while the United Kingdom does not; France’s sanctions for infringement of the Directive are heavier than the United Kingdom’s. All of this tends to devalue the usefulness of any EU overview.
- The Guidelines’ round-up of corporate rules for use between companies in the same group does not convey properly the complexity, time and cost that are entailed in securing the appropriate approvals before a company can use permitted methods to transfer personal data to a group company based in a third country.
The EU data protection and transfer regime is not a simple one and the Guidelines tend to gloss over the more complex areas. Furthermore, because there is no harmonised method to incorporate directives into each Member State’s legislation, the Guidelines are clearly of limited use to a company that has a business model incorporating multiple EU entities and multiple data transfer processes to third countries.