Following the implementation of European Directive 95/46/EC (the obligations of which have been embodied into the laws of England and Wales by the Data Protection Act 1998 "DPA"), strict provisions apply to the processing and storage of personal data (or information from which a data subject can be identified). This Directive applies to the flow of data between countries in the European Economic Area (consisting of Norway, Iceland, Liechtenstein and the 15 EU States, "the EEA"). The provisions require all countries in the EEA to protect the fundamental rights and freedoms of their citizens, with particular emphasis on protecting the right to privacy. In the United Kingdom, it is the role of the Information Commissioner to enforce the DPA.
In an age of the "Global Economy", personal data is increasingly transferred between countries, especially by the internet, in many industries, including insurance. The legislation was adopted to ensure that all EEA countries have a uniform approach to the protection of data. However, a problem has arisen in relation to the transfer of data from an EEA country to third countries outside the EEA.
Article 25 of the Directive requires the receiving country (the "third country") to have an "adequate level of protection" for data emanating from within the EEA. In practice, the European Commission will investigate and confirm whether a particular Country’s data protection laws are adequate. Member States are deemed to have adequate protection when transferring data intra-state. What constitutes "adequate protection" depends upon various factors, including the purpose and duration of data processing, the country of origin and the country of destination, the rules of law in force in the third country and any professional rules and security measures which are complied with in that country.
Importantly, if the third country is unable to ensure "adequate protection" of data received from the EEA, Member States must take measures to prevent any transfer of data of the same type to the third country in question. Multinational insurance companies and brokers should take note as the Directive also applies to businesses in the same group of companies that operate both within and outside of the EEA. Therefore personal data sent between international offices of the same company would be subject to these regulations.
Needless to say, this requirement to adequately protect personal data has caused tension between the EEA and its trading partners, most notably the United States. The United States takes a different approach from the EEA to the regulation of personal data by relying on a mixture of legislation, regulation and self-regulation. By comparison, the EEA uses comprehensive legislative powers to create government data protection agencies who ensure that the privacy of EEA citizens is protected.
After protracted negotiation, the European Commission now accepts that US companies who subscribe to the "Safe Harbor" framework are recognised as having an adequate level of personal data protection. This framework is effectively a data protection code of practice and is maintained by the US Department of Commerce. Member companies participating in and subscribing to the rules of the Safe Harbor are deemed by the EEA to have adequate levels of data protection. It is therefore necessary for businesses in the EEA to ensure that any US business receiving their data subscribes to the Safe Harbor agreement.
The regularly updated website of the US Department of Commerce (www.export.gov/safeharbor) contains a public list of subscribing businesses. Members must certify to the US Department of Commerce annually that they agree to and comply with the requirements of the Safe Harbor. In addition to the Safe Harbor agreement in the US, the EEA has also acknowledged that Switzerland and Hungary provide adequate data protection.
Although the European Commission is in the process of negotiating data protection levels with several other third countries, it will clearly take a considerable length of time before all countries receiving data from the EEA will have approved levels of data protection. Transferors of data therefore face the uncertainty of not knowing which countries will receive approval, in other words, which countries they are permitted to transfer data to.
To avoid this uncertainty, a working party of the European Commission is developing a model contract which will permit the transfer of personal data to third countries with inadequate or not currently recognised levels of protection. This contract is likely to require the party receiving the data to provide protection levels similar to those imposed on businesses within the EEA.
However, until the model contract is finalised, companies who transfer personal data outside the EEA to countries other than Switzerland, Hungary and companies subscribing to the Safe Harbor in the US, risk action being taken against them by the authorities of the relevant Member State. Ultimately this could result in the prevention of any future transfers of similar data. Potentially, an order preventing the transfer of personal data could significantly impact a business’ marketing or back office/processing departments if these offices are located overseas in countries outside the EEA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
