David Gourlay, IP/IT Partner with McClure Naismith, provides an insight into the complex legal issues related to the transfer of personal data to countries located outside the European Economic Area (EEA).

With increasing globalisation, more and more businesses and organisations in Scotland are looking to trade internationally. Equally, more and more overseas businesses are looking to do business with Scotland, and throughout the UK. Inevitably, any trading relationship will involve the transfer of important and often sensitive data, much of it of a personal nature.

However, subject to limited exceptions, Scottish businesses are prevented from transferring personal data to a country outside the EEA unless that country ensures an adequate level of protection for the data. We have the 1995 Data Protection Directive to thank for this, something which has been implemented in all EEA countries and specifically in the UK by the Data Protection Act 1998. This barrier to cross-border transfers of personal data throws up not insignificant challenges for businesses keen to trade internationally.

If we take the scenario of an ambitious Scottish company looking to do business internationally, it will almost certainly need to pass personal data relating to its employees, suppliers and customers to business outside the EEA. The financial services sector (a lynchpin of the Scottish economy) is, for example, well renowned for offshoring to economies such as India, something which often entails the passing of customers' personal data to the overseas service provider.

The position is even more acute for multi-national companies which want to be able to pass personal data throughout their group of companies. In this context a common scenario might be the HR department of a multi-national headquartered in the US with subsidiaries throughout Europe, including Scotland, which wants information about its European employees. Not unreasonable, you might say but nevertheless not always straightforward to put into practice.

The European Commission is responsible for deciding whether a country outside the EEA provides an adequate level of protection for personal data. To date only Argentina, Canada (in certain circumstances), Switzerland, the Isle of Man, Guernsey and very recently Jersey fall into this category.

The US is a special case. In order to be considered able to offer an adequate level of protection, the US organisation to be passed the data must be a signatory to what is known as the "Safe Harbour Principles". Considering the importance of the US to the word economy this is a significant obstacle to international transfers of personal data, and one which has caused much soul searching at all levels.

Organisations can conduct their own risk based adequacy assessment to determine whether an international transfer of personal data can proceed but other solutions are often preferred.

There are, for example, certain exemptions which allow an organisation to transfer personal data outside the EEA to a country which is not regarded as providing an adequate level of protection.

These exemptions include obtaining the consent of the individuals concerned. At first glance, securing consents would not seem to be particularly onerous. But when you consider that consent must be freely given, specific and informed, in practice it can be very difficult to obtain.

So where does that leave any business whose ambitions depend on its ability to transfer personal data between different countries? Well, EEA based organisations can use "model contracts" which have been approved by the European Commission – but even then there are three sets, so care must be taken when deciding which set to use.

If consent or model clauses are not considered to be appropriate solutions Binding Corporate Rules (BCRs) may be a solution. BCRs are rules prepared by multinational companies which can be used to regulate the transfer of personal data from the EEA to members of the group located outside the EEA. However, BCRs are very much in their infancy and can be something of a daunting prospect as they require approval from all the relevant data protection authorities in the EEA.

The reality is that cross border transfers of personal data can be complex and high risk. Indeed, failure to follow the correct legal framework can halt an expanding business in its tracks.

David Gourlay is currently advising a multi-national company headquartered in the US which has a large number of European subsidiaries and which requires those subsidiaries to transfer personal data to it.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.