Originally published in Reed Smith's Export, Customs and Trade Sentinel Newsletter, Winter 2008

EU data protection legislation provides a strict regime aimed at protecting the personal data of individuals within the EU. The primary restrictions are found in the EC Data Protection Directive (95/46/EC) (the "Directive"), which contains a number of requirements and prohibitions. The Directive prohibits the transfer of personal data from EU countries to countries outside the European Economic Area, unless the destination country provides an adequate level of protection for the rights and freedoms of the individuals to whom the personal data relates or some other derogation applies (the "Prohibition").

The decision as to whether a country offers an adequate level of protection rests with the European Commission. Countries currently found to offer such protection include Canada, Argentina, and Switzerland but not the United States. The U.S. Department of Commerce's Safe Harbor scheme offers a limited exception and will be discussed below. (See also www.export. gov/safeharbor/sh_overview.html.)

The Directive is brought into effect in each of the EU countries through domestic enabling legislation. In the UK, the Directive was enabled through the Data Protection Act of 1998 (the "Act"). The Act and its subsequent case law have broadly defined personal data as data that relates to a living individual who can be identified from that data, or in conjunction with other information that is in the possession of, or is likely to come into the possession of, the organization holding the personal data. This will therefore include: names, addresses, telephone numbers, and dates of birth. The information does not have to be confidential; however, where the information is sensitive, e.g., medical records or criminal convictions, additional restrictions apply.

The definition of personal data that is covered by the Prohibition is therefore extremely broad and is likely to catch any data-flows of organizations with offices in both the United States and the UK. We should bear in mind that it is not just the personal data of customers but of any living individual, so employees and supplier contacts are also included.

The following permitted exemptions from the Prohibition are the primary ones used:

  • Consent: The individual to whom the personal data relates has given their express consent to the specific transfer, having been informed of the reason for the transfer, the destination country, and any anticipated risks associated with the transfer. This consent must be capable of being withdrawn by the individual. It is therefore more suitable as a method for new contacts with prospects (e.g., mailing lists) rather than ongoing relationships (e.g., customers). Furthermore, some EU countries have expressly provided that employees cannot give consent to such a transfer, as the power relationship with employers is such that any consent is deemed to be under duress.
  • Necessity: If the transfer is necessary for (among others) the performance of a contract between the individual and organization possessing personal data on the individual by reasons of substantial public interest, or in connection with legal proceedings, it may not violate the Directive. The regulators have taken a very strict view on what is "necessary." If the contract can be performed in any way without the export of data, then such export is not necessary. This applies to almost all outsourced processing and even most employee data transfers, because, strictly speaking, the UK subsidiary can perform all necessary functions without exporting the data to the United States. Similarly, although personal data that is required to be produced in litigation is exempt, this does not apply to data required for arbitration, other statutory enquiries, or even the export of data for the purpose of assessment of privilege and relevance prior to production for litigation.

To overcome the Prohibition and the inherent failing noted in the above exemptions, the three methods discussed below have risen in prominence, as offering the most commercially effective means of transferring personal data from the United States to the UK:

The U.S. Department of Commerce Safe Harbor – To participate in the Safe Harbor scheme, the U.S. organization wishing to receive personal data from the EU must be subject to the review of an independent statutory body that can monitor compliance with the terms of the Safe Harbor and that had entered into an agreement with the European Commission. The Federal Trade Commission and the Department of Transportation (for carriers and ticket agents) are such statutory bodies recognized by the European Commission.

Organizations participating in the Safe Harbor scheme must comply with certain standards that broadly compare to the requirements found in the Regulation. Once an organization formally agrees to participate in the Safe Harbor scheme it can receive personal data from the EU. However, U.S. companies in certain sectors (e.g., financial services and telecommunications) cannot participate in the Safe Harbor scheme because their regulator has not yet been recognized by the European Commission for this purpose.

In practice, this scheme has not been popular with U.S. organizations. This is because of the enforcement powers of the independent statutory bodies if the scheme is breached, and the potential for the individual to whom the personal data relates to bring a direct action for any breach in the U.S. courts. The scheme has also suffered from doubts (expressed by the European Commission) as to the adequacy of the data protection it provides.

Model Contracts – In 2001, the European Commission adopted Decisions approving basic sets of standard contractual clauses (Model Contracts) for the export of data from the EU. These Model Contracts have since been updated and have been applied successfully in many cases.

The model contracts incorporate the contractual requirement that the personal data transferred be handled in a manner compatible with EU data protection law. In particular, that appropriate technical and organizational measures are taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The entity exporting the data must use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under the Model Contract.

Model Contracts have been viewed as the simplest and most commercially viable way of working round the Prohibition. They do, however, require every entity within an organization exporting or receiving personal data to be a signatory to the model contract. This can, however, be complex where a company has numerous subsidiaries or outsources certain data-processing functions. It also adds a further layer of regulation that must be complied with in addition to any internal data protection policies.

Binding Corporate Rules – In answer to the perceived problems of the above methods, a new solution is growing in popularity—that of Binding Corporate Rules ("BCRS").

BCRS are rules developed by an organization and then approved by the data protection authority of a European country as being sufficient to ensure an adequate level of data protection. As it has tended to be only large organizations with existing Data Protection policies who apply for approval of BCRS, the formation of BCRS have tended to take the form of tying in all the organizations' existing data protection documentation / policies / procedures into a framework document which becomes the BCRS. These BCRS must clearly and bindingly embody the organizations' commitment to ensuring personal-data transfers occur only in accordance with EU data protection law. The BCRS can itself be a relatively highlevel document with the detail being provided in cross-referenced policies and procedures.

In January 2007, the EC Article 29 Data Protection Working Party published a checklist for entities wishing to submit an application for approval of BCRS. Although use of the checklist is not mandatory, it allows certainty that all the requirements for an application have been covered.

Organizations must choose the data protection authority of one EU country (usually the country in which its European headquarters are based) as the lead authority to which the BCRS are submitted. Once that authority has approved the BCRS, it will assist in obtaining approval from those other EU states from which personal data transfers will occur, a process which is time consuming.

The UK data protection authority has to date approved BCRS for Phillips in respect of customers' personal data, and General Electric. It is widely expected that BCRS will become an increasingly used option to allow for personal data transfers.

Future Developments

Increased scrutiny is being placed on data protection in the UK following a number of recent high-profile security breaches, including the losses of the records of 25 million individuals by the UK tax authorities and 11 million customers by the Nationwide Building Society. These breaches led to widespread media attention and resulted in significant reputational damage (and in the case of the Nationwide, financial penalties). There have also been calls for the UK to follow legislation in force in a number of U.S. states, requiring public announcements of any such breaches, and it is widely expected that this approach will be adopted in some form. It is timely for organizations with operations in the EU to take this opportunity to review their data protection policies.

This article is presented for informational purposes only and is not intended to constitute legal advice.