The eighth data protection principle in the Data Protection Act 1998 provides:
"Personal data shall not be transferred to a territory outside the EEA unless that territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data"
This implements Article 25(1) of the EU Data Protection Directive (95/46/EC) into UK law.
The effect of Article 25 is that a European business which is a data controller may not transfer personal data to a data processor based in a non-EEA territory (known as a 'third country') unless that territory ensures an adequate level of protection.
One way to ensure compliance with Article 25 is to require the data processor to sign up to the EU 'Model Clauses'. These put in place arrangements to ensure that the rights of the data subjects are protected after the data is transferred. The Model Clauses were contained in a European Commission Decision of 2002 (2002/16/EC). However, the Commission has just issued a new Decision (2010/87/EU) which updates the Model Clauses. The clauses have been updated to reflect the fact that data processors are increasingly outsourcing the processing activities to sub-processors and aim to ensure that the rights of data subjects are protected where this happens. Otherwise, the Model Clauses are unchanged. The updated clauses apply as from 15 May 2010. The old clauses can be used until that date but the new clauses must be used after that date for new contracts or for amended existing contracts.
Click here to navigate to the Commission Decision 2010/87/EU (the new Model Clauses)