European FM
8/15/11
3:56 PM
Page i
EUROPEAN PRIVACY
Law and Practice for Data
Protection Professionals
Executive Editor
Eduardo Ustaran
Partner, Field Fisher Waterhouse
An IAPP Publication
European FM
8/15/11
3:56 PM
Page ii
©2012 by the International Association of Privacy Professionals (IAPP)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photocopying, recording or
otherwise, without the prior written permission of the publisher, International Association
of Privacy Professionals, Pease International Tradeport, 75 Rochester Ave., Suite 4,
Portsmouth, NH 03801, United States of America.
Editor: Elissa Myers, CAE
Cover design: Noelle Grattan, -ing designs, llc.
Copy editor: Sarah Weaver
Compositor: Eric Rosenbloom, Kirby Mountain Composition
Indexer: Jan Bednarczuk, Jandex Indexing
ISBN 978-0-9795901-5-3
Library of Congress Control Number: 2011932958
European FM
8/15/11
3:56 PM
Page iii
CONTENTS
About the IAPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Richard Soule
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Bojana Bellamy
Introduction
SECTION ONE: Introduction to European Data Protection
Chapter 1: Origins and Historical Context of Data Protection Law
Sian Rudgard
Rationale for data protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Human rights law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Early laws and regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The need for a harmonised European approach . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Treaty of Lisbon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 2: European Union Institutions
Michelle Levin and Lilly Taranto
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
European Parliament . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
European Council . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Council of the European Union (Council of Ministers) . . . . . . . . . . . . . . . . . . . . 24
European Commission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
European Court of Human Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Court of Justice of the European Union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Article 29 Working Party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
iii
European FM
8/15/11
3:56 PM
Page iv
CONTENTS
Chapter 3: Legislative Framework
Brian Davidson
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
The Council of Europe Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
The Data Protection Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
The Privacy and Electronic Communications Directive . . . . . . . . . . . . . . . . . . . . 40
The Data Retention Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Impact on member states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
SECTION TWO: European Data Protection Law and Regulation
Chapter 4: Data Protection Concepts
Nuria Pastor
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Personal data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Sensitive personal data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Controller and processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Data subject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Chapter 5: Application of the Law
Antonis Patrikios
Applicability criteria under the Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Establishment in the EU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
No establishment in the EU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
The e-Privacy Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
The Data Retention Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 6: Data Protection Principles
Lilly Taranto
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Fairness and lawfulness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Purpose limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Proportionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Data quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 7: Legitimate Processing Criteria
Victoria Hordern
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Processing personal data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Processing sensitive data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
iv
European FM
8/15/11
3:56 PM
Page v
CONTENTS
Chapter 8: Information Provision Obligations
Hannah Jackson
The Transparency Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Exemptions to the obligation to provide information to data subjects . . . . . . . . . 112
Privacy Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Chapter 9: Data Subjects’ Rights
Michelle Levin
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
The right of access under Article 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
The right to obtain rectification, erasure or blocking of the data processing . . . . . 132
The right to object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
The right not to be subject to fully automated decisions . . . . . . . . . . . . . . . . . . 137
Chapter 10: Confidentiality and Security
Stewart Room
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
The approach taken by the Data Protection Directive and national legislations . . 142
Appropriate technical and organisational measures . . . . . . . . . . . . . . . . . . . . . . . 146
Dealing with data processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
The regime in the e-Privacy Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
The regime in the Data Retention Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Breach disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Chapter 11: Notification Requirements
Brian Davidson
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Notification obligation and exemptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Content and format of notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Prior authorisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Lack of harmonisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Timescales . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
The future of notification in the EU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Conclusion and practicalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Chapter 12: International Data Transfers
Eduardo Ustaran
Introduction: Limitations affecting international data transfers . . . . . . . . . . . . . . . 173
Scope of data transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Meaning of an ‘adequate level of protection’ . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Procedure to designate countries with adequate protection . . . . . . . . . . . . . . . . 177
The situation in the United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
v
European FM
8/15/11
3:56 PM
Page vi
CONTENTS
Legitimising data transfers by adducing adequacy—model contracts . . . . . . . . . . 180
Data transfers within a multinational corporate group—
Binding Corporate Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Data transfers to service providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Relying on derogations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
The future of the prohibition on international data transfers . . . . . . . . . . . . . . . . 189
Chapter 13: Supervision and Enforcement
Stewart Room
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Administrative supervision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Regulation by the citizen and access to justice . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
The Article 29 Working Party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
The European Data Protection Supervisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Supervision and enforcement within the e-Privacy Directive . . . . . . . . . . . . . . . 205
Strategies for coping with supervision and enforcement . . . . . . . . . . . . . . . . . . . 206
SECTION THREE:
Compliance with European Data Protection Law and Regulation
Chapter 14: Employment Relationships
Victoria Hordern
Employee data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Legal basis for processing employee personal data . . . . . . . . . . . . . . . . . . . . . . . . 211
Processing sensitive employee data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Providing notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Storage of personnel records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Workplace monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Works councils . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Whistle-blowing schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Chapter 15: Surveillance Activities
Antonis Patrikios
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
CCTV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Location-based services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Chapter 16: Direct Marketing
Phil Lee
Data protection and direct marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Postal marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
vi
European FM
8/15/11
3:56 PM
Page vii
CONTENTS
Telephone marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Marketing by electronic mail (including e-mail, SMS and MMS) . . . . . . . . . . . . 255
Fax marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Location-based marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Online behavioural advertising . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Chapter 17: Internet Technology and Communications
Hannah Jackson
Cloud computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Cookies and IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Search engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Social Networking Services (SNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Chapter 18: Outsourcing
Eduardo Ustaran
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
The roles of the parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Data protection obligations in an outsourcing contract . . . . . . . . . . . . . . . . . . . . 290
The German case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Offshoring and international data transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Appendices
Appendix 1: EU Legislative References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Appendix 2: EU Institutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
About the Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
vii
European12
8/13/11
12:16 PM
Page 173
Chapter Twelve
INTERNATIONAL DATA TRANSFERS
By Eduardo Ustaran, Partner
1. Introduction: Limitations affecting international data transfers
One stated objective of the Data Protection Directive is to allow the free flow of personal
data between member states, based on agreed-upon principles of personal data protection.
But at the same time, the Directive recognizes that transfers of personal data to third countries require special consideration.
1.1 Legislative background
Article 25 of the Directive places a challenging requirement on the governments of EU
member states: to ban the transfer of personal data to any country outside the European
Economic Area (which consists of the EU member states together with Iceland, Liechtenstein and Norway) unless that third country (a country outside the EEA) ensures an adequate level of privacy protection.
The recitals of the Directive don’t clearly explain the reason behind this radical prohibition. They recognise that cross-border flows of personal data are necessary for the expansion of international trade, but also state that the transfer of personal data to a third country
that does not ensure an adequate level of protection must be prohibited.
To understand the basis for this approach, it is necessary to bear in mind the purpose
of the Directive as set out in Article 1: Member states must protect the fundamental rights
and freedoms of natural persons, and in particular their right to privacy with respect to the
processing of personal data. In other words, the main aim of the legal regime established by
the Directive is to create a framework that protects and shields individuals’ personal information from misuse and abuse.
However, such a framework would be very fragile if the protection afforded by it were
to fall apart as soon as the personal information left the boundaries of the countries subject
173
European12
8/13/11
12:16 PM
Page 174
INTERNATIONAL DATA TRANSFERS
to EU data protection law. Therefore, the European institutions responsible for drafting and
adopting the Directive tried to preserve the effect of the new regime by blocking any attempts to weaken the protection afforded to individuals. In practice, this has created a situation that effectively imposes EU data protection standards in jurisdictions outside Europe.
1.2 Practical implications
Bearing in mind the high standards of privacy protection imposed by the Directive, it is
difficult to see how countries without the same strict legislative approach to this issue can
avoid falling foul of this provision. As a result, this element of the Directive has been seen as
a serious barrier to international commerce. Although the Directive seeks to facilitate the
flow of personal data between EU member states, global commerce has been threatened.
For some large multinational organisations, this issue has meant the adoption of EU data
protection practices across their operations irrespective of where the data processing activities actually take place.
2. Scope of data transfers
The concept of transfer is not defined by the Directive. However, transfer is not the same as
mere transit. Therefore, the fact that personal data may be routed through a third country
on the way from a EEA country does not bring such transfer within the authority of Article 25 of the Directive unless some substantive processing operation is conducted on the
personal data in the third country.
In practice, there are two common situations that have been a source of concern in
the past, but that are not subject to the conditions dealing with data exports:
• Technical routing of packet-switch technology (such as Internet e-mail and web
pages), which may involve random transfers of personal data between computer
servers located anywhere in the world
• Electronic access to personal data by travellers who happen to be physically located
for a short period of time in a place that does not afford an adequate level of protection—for example, a person who logs on to a computer system based in the EU to
access data from a foreign airport
In addition, following the European Court of Justice decision in the Swedish case
against Bodil Lindqvist (C-101/01) in November 2003, where an individual in a member
state merely loads personal information onto a website that is hosted in that state or another member state so that the information can be accessed by anyone who connects to
the Internet does not constitute a transfer of data to a third country.
However, where there is an international exchange of information about individuals
with the intention of automatically processing that personal information after it has been
174
European12
8/13/11
12:16 PM
Page 175
INTERNATIONAL DATA TRANSFERS
exchanged, that should be regarded as a transfer for the purposes of the Directive, even if
the original exchange does not qualify as processing of personal data. An example of this
would be where information is provided by someone in the EU over the telephone to
someone in a third country who then enters the information on a computer.
3. Meaning of an ‘adequate level of protection’
Article 25 of the Directive states that:
The Member States shall provide that the transfer to a third country of personal data which
are undergoing processing or are intended for processing after transfer may take place only if,
without prejudice to compliance with the national provisions adopted pursuant to the other
provisions of this Directive, the third country in question ensures an adequate level of
protection.
3.1 EU official interpretation
In general, the adequacy of the protection afforded by the third country in question must
be assessed on a case-by-case basis in the light of all the circumstances surrounding the data
transfer. In addition, as part of that assessment, particular consideration must be given to:
• The nature of the data
• The purpose and duration of the proposed processing operation or operations
• The country of origin and country of final destination
• The rules of law, both general and sectoral, in force in the third country
• The professional rules and security measures that are complied with in that country
To help organisations carry out that assessment in practice, the Article 29 Working
Party issued quite detailed advice even before the deadline for implementation of the Directive. Following this advice, the analysis of the level of protection must comprise two
basic elements: (1) the content of the applicable rules and (2) the means for ensuring their
effective application. Accordingly, the Article 29 Working Party identified a set of content
principles and a basic enforcement mechanism, which can be regarded as a minimum requirement for the protection to be considered adequate.
The content principles include:
• The purpose limitation principle: Data must be processed for a specific purpose and
subsequently used or further communicated only when compatible with the original purpose.
175
European12
8/13/11
12:16 PM
Page 176
INTERNATIONAL DATA TRANSFERS
• The data quality and proportionality principle: Data must be accurate and, where necessary, kept up to date. The data must be adequate, relevant and not excessive in relation to the purposes for which it is transferred or further processed.
• The transparency principle: Individuals must be provided with information as to the
purpose of the processing and the identity of the data controller in the third country, and any other information that is necessary to ensure fairness.
• The security principle: The data controller must take technical and organisational security measures appropriate to the risks presented by the processing. Any person acting
under the authority of the data controller, including a processor, must not process
data except on instructions from the controller.
• The rights of access, rectification and opposition: Individuals must have a right to obtain a
copy of all data relating to them, and a right to rectification of such data where it is
shown to be inaccurate. Where there are compelling legitimate grounds, individuals
must also be able to object to the processing of their personal data.
• Restrictions on onward transfers: Further transfers of the personal data by the recipient
of the original data transfer must be permitted only when the second recipient (i.e.,
the recipient of the onward transfer) is also subject to rules affording an adequate
level of protection.
• Sensitive data: Where ‘sensitive’ categories of data are involved, additional safeguards
should be in place, such as a requirement that individuals give their explicit consent
for the processing.
• Direct marketing: Where data is transferred for the purposes of direct marketing, individuals should be able to opt out from having their data used for such purposes at
any stage.
• Automated individual decision: Where the purpose of the transfer is to make an automated decision in the sense of Article 15 of the Directive, the individual should have
the right to know the logic involved in this decision, and other measures should be
taken to safeguard the individual’s legitimate interest.
The enforcement mechanism required need not be based on a supervisory authority
model, as is typically the case within EU member states. What the Article 29 Working Party
is concerned about is a system that meets the underlying objectives of a data protection
procedural system:
• The delivery of a good level of compliance with the rules: A good system is generally characterised by a high degree of awareness among data controllers of their obligations,
and among individuals of their rights and the means of exercising them. The existence of effective and dissuasive sanctions can play an important role in ensuring
176
European12
8/13/11
12:16 PM
Page 177
INTERNATIONAL DATA TRANSFERS
respect for the rules, as can systems of direct verification by authorities, auditors or
independent data protection officials.
• The provision of support and help to individuals in the exercise of their rights: Individuals
must be able to enforce their rights rapidly and effectively, and without prohibitive
cost, which means that there must be some sort of institutional mechanism allowing
independent investigation of complaints.
• The availability of appropriate redress to the injured party when rules are not complied with:
This is a key element, which must involve a system of independent adjudication
or arbitration that allows compensation to be paid and sanctions imposed where
appropriate.
3.2 The UK approach
In June 2006, the UK Information Commissioner’s Office (ICO) produced an updated
version of its own guidance note in the area of international data transfers.1 The ICO’s
guidance includes a section called the ‘adequacy test’, which is aimed at helping exporters
of personal data determine whether a transfer can be regarded as adequate in terms of data
protection.
According to the ICO’s guidance, the adequacy criteria are divided into two categories: the ‘general adequacy criteria’ and the ‘legal adequacy criteria’. The general adequacy criteria are factors that the exporting data controller can identify easily; for example,
the nature of the personal data being transferred and purpose for which the data will be
processed. General adequacy criteria should be assessed in detail on every occasion. The
legal adequacy criteria may be more difficult for the controller to assess as they are factors
relating to the legal system in force in the third country.
An exhaustive analysis of the legal adequacy criteria may be unnecessary if an assessment of the general adequacy criteria has revealed that, in the particular circumstances, the
transfer is low risk. Conversely, if the general adequacy assessment reveals a high-risk transfer (e.g., if the data is particularly sensitive), then a more comprehensive investigation of the
legal adequacy criteria will be expected.
Therefore, this assessment must be made by focusing on the potential risks involved in
the transfer and whether or not, in all the circumstances of the case, an adequate level of
protection is likely to be ensured in the third country.
4. Procedure to designate countries with adequate protection
The Directive allows the European Commission to determine whether a third country ensures an adequate level of protection by reason of its domestic law or of the international
commitments it has entered into (Article 25(6)). Therefore, the Commission has established
a formal procedure to designate countries that can be assumed to ensure an adequate level
of protection. The steps that are taken as part of this procedure include:
177
European12
8/13/11
12:16 PM
Page 178
INTERNATIONAL DATA TRANSFERS
• Creation of a proposal from the European Commission
• Issuance of an opinion by the Article 29 Working Party
• Issuance of an opinion of the Article 31 Management Committee delivered by a
qualified majority of member states
• Provision of a 30-day right of scrutiny for the European Parliament to check
whether the Commission has used its executing powers correctly
• Adoption of the decision by the European Commission
The effect of such a decision is that personal data can flow from the EU member states
and the other EEA member countries to that third country with no further safeguard necessary. At the time of writing, the Commission has recognised Switzerland, Hungary
(which is now part of EEA), Canada, Argentina, Guernsey, Isle of Man, Jersey, the Faroe Islands, Andorra and Israel as providing adequate protection.
The European Commission has recognised the need for a more extensive use of findings of adequate protection in third countries. Therefore, the Commission expressly included this task in the Work Programme for a better implementation of the Directive and
is likely to step up its activity in this area. Other jurisdictions that may join the list of ‘safe’
countries in the short to medium term include Australia, New Zealand and Japan.
5. The situation in the United States
Countries where a legislation-free approach to personal privacy is preferred, such as the
United States, face a particularly difficult challenge in the context of European data imports. In light of this and considering the large volume of data transfers carried out on a
daily basis between the EU and the U.S., the U.S. Department of Commerce and the European Commission devoted more than two years to developing a self-regulatory framework that would allow U.S organisations to satisfy the requirements of the Directive. On
26 July 2000, the European Commission finally issued a Decision stating that the so-called
Safe Harbor Privacy Principles provide adequate protection for personal data transferred
from the EU.
5.1 Safe Harbor Privacy Principles
The decision by U.S.-based organisations to abide by the Safe Harbor Privacy Principles is
entirely voluntary. Organisations that decide to participate in the scheme must comply
with the relevant requirements and publicly declare that they do so. In practice, an organisation needs to self-certify annually to the U.S. Department of Commerce in writing that
it agrees to adhere to the Safe Harbor requirements. It must also include a statement in its
published privacy policy that it adheres to the principles.
The requirements established by the Safe Harbor Privacy Principles are as follows:
178
European12
8/13/11
12:16 PM
Page 179
INTERNATIONAL DATA TRANSFERS
• Notice:An organisation must inform individuals of the purposes for which it collects
and uses personal information, how it can be contacted, to whom it intends to disclose the information and the choices and means available to individuals for limiting
the use and disclosure of that information.This notice must be made available in clear
and conspicuous language before the organisation uses or discloses the information.
• Choice: An organisation must offer individuals the opportunity to opt out of uses or
disclosures involving their personal information, where such uses or disclosures are
incompatible with the purposes for which the information was originally collected
or subsequently authorised by the individual. With regard to sensitive personal information (data specifying the medical or health condition, the racial or ethnic origin,
the political opinions or trade union membership, the religious or philosophical beliefs or the sex life of an individual), affirmative or explicit consent— opt-in—must
be obtained if the information is to be used for a purpose other than that for which
it was originally collected or subsequently authorised by the individual.
• Onward transfer: An organisation may disclose personal information only to those
third parties that (a) subscribe to the Safe Harbor Privacy Principles, (b) are subject
to the Directive, or (c) enter into a written agreement whereby they undertake to
provide at least the same level of privacy protection provided by the Safe Harbor
Privacy Principles.
• Security: Organisations processing personal information must take reasonable security
measures and precautions to avoid its loss, misuse and unauthorised access, disclosure, alteration or destruction.
• Data integrity: An organisation may only process information relevant to the purposes for which it has been gathered. In addition, steps must be taken to ensure that
the data is (a) relevant for the intended use and (b) accurate, complete and current.
• Access: Individuals must have access to personal information about them held by an
organisation and be able to correct it, except where the burden or expense of providing access is disproportionate to the risks to the individual’s privacy in the case in
question, or where the rights of persons other than the individual would be violated.
• Enforcement: Organisations must abide by certain mechanisms of compliance with the
Safe Harbor Principles, which provide recourse for individuals and consequences for
noncompliance. At the very least, such mechanisms must include (a) a readily available and affordable independent recourse to deal with individuals’ complaints and
disputes by reference to the Safe Harbor Privacy Principles and award damages
where applicable; (b) a follow-up procedure to verify the implementation of privacy
practices; and (c) an obligation to remedy problems arising out of failures to comply
with the Safe Harbor Privacy Principles.
179
European12
8/13/11
12:16 PM
Page 180
INTERNATIONAL DATA TRANSFERS
5.2 Practical operation
To qualify for the scheme, an organisation must either:
• join a self-regulatory privacy programme that adheres to the Safe Harbor’s requirements, or
• develop its own self-regulatory privacy policy that conforms to the Safe Harbor.
Enforcement of the Safe Harbor Privacy Principles takes place in the United States in
accordance with U.S. law and is carried out primarily by the private sector. Private sector
self-regulation and enforcement is backed up as needed by government enforcement of the
federal and state unfair and deceptive statutes.
An EU organisation can ensure that it is sending information to a U.S. organisation
that participates in the Safe Harbor by viewing the public list of Safe Harbor organisations
posted on the U.S. Department of Commerce’s website. This list became operational at the
beginning of November 2000 and contains the names of all U.S. companies that have selfcertified to the Safe Harbor Privacy Principles and any additional documentation. This list
is regularly updated so it is clear who is in the Safe Harbor.
U.S. organisations can also meet the adequacy requirements of the Directive if they include the Safe Harbor requirements as the substantive privacy provisions in written agreements with parties transferring data from the EU.
6. Legitimising data transfers by adducing adequacy—model
contracts
There is an increasing interest in promoting the use of the standard contractual clauses for
international transfers of personal data to third countries not providing an adequate level of
protection.
6.1 Terms approved by the Commission
Article 26(2) of the Directive provides that member states may authorise a transfer, or a set
of transfers, of personal data to third countries that do not ensure an adequate level of protection where the organisation wishing to transfer the data adduces adequate safeguards for
the privacy rights of individuals.
Article 26(4) goes on to say that such safeguards may result from certain standard contractual clauses approved by the European Commission. Following several years of negotiations with national regulatory bodies, influential trade associations and international
organisations, on 15 June 2001, the European Commission adopted a decision2 setting out
standard contractual clauses ensuring adequate safeguards for personal data in this context.
180
European12
8/13/11
12:16 PM
Page 181
INTERNATIONAL DATA TRANSFERS
This decision obliges member states to recognise that companies or organisations using
these standard clauses in contracts concerning personal data transfers to countries outside
the EEA are offering adequate protection to the data. Although, in principle, member states
are bound by the Commission’s decision to allow transfers on the basis of the standard
contractual clauses, the data protection authorities of each country may require that a copy
of the contract be deposited with them. However, this is not a requirement across the EU.
In addition, if there is a substantial likelihood that the standard contractual clauses are
not being, or will not be, complied with and the continuing transfer would create an imminent risk of grave harm to individuals, the national data protection authorities may exercise their powers to prohibit or suspend any relevant transfer.
6.2 Obligations of the exporter
According to the standard contractual clauses, an EU-based exporter of personal data must
warrant and that:
• The processing of personal data up to the moment of the transfer is, and will continue to be, carried out in accordance with the local data protection law.
• If the transfer involves sensitive personal data, the relevant individuals will be informed (e.g., via a privacy policy) that their data may be transmitted to a third country without an adequate level of data protection.
• It will make available, upon request, to any individual to whom the data relate, a
copy of the standard clauses used in the transfer contract.
• It will respond to any enquiries of any such individual in relation to the overseas
transfer and processing.
• It will respond to any enquiries of its national data protection authority in connection with the processing carried out by the importer of the data transferred.
6.3 Obligations of the importer
The standard clauses approved by the European Commission require the overseas recipient
of the data to warrant and undertake that:
• It has no reason to believe that its national legislation will affect its performance of
the contract.
• It will process the data in accordance with the so-called nine Mandatory Data Protection Principles, which represent a minimum requirement for data protection and
181
European12
8/13/11
12:16 PM
Page 182
INTERNATIONAL DATA TRANSFERS
mirror the key requirements of the Directive in terms of purpose limitation, data
quality and proportionality, transparency, security, individuals’ rights, restrictions on
onward transfers, sensitive data, direct marketing and automated individual decisions.
• It will deal promptly and properly with all reasonable enquiries made by its European partner or the individuals to whom the data relate.
• It will cooperate with any relevant national data protection authority investigating
the transfer or the processing carried out by the importer.
• It will submit its data processing facilities for audit upon request of the data
exporter.
• Upon request, it will make available a copy of the standard clauses used in the transfer contract to any individual to whom the data relates.
6.4 Alternative model contracts
The European Commission stated in its first report on the implementation of the Directive
of 15 May 2003 that it intended to adopt further decisions on the basis of Article 26(4) so
that economic operators have a wider choice of standard contractual clauses. Accordingly,
the Commission issued a new decision on 27 December 2004 amending its decision of
June 2001 and adding a second version to the sets of standard contractual clauses that can
be used to legitimise international transfers between data controllers. This second version
was based on an alternative draft pioneered by the International Chamber of Commerce.
Under the original 2001 clauses, the exporter of the data had to warrant very difficult
things, such as the fact that the processing would always be carried out in accordance with
the law of the country where the exporter was based, and that individuals would be informed if the transfer involved sensitive personal data. In the 2004 clauses, these obligations
are replaced by more practical and achievable tasks, such as:
• Ensuring that the collection, processing and transfer is in accordance with the laws
applicable to the exporter
• Using reasonable efforts to determine that the data importer is able to satisfy its legal
obligations under the clauses
• Providing the importer, upon request, with copies of relevant data protection laws
and references to them (not including legal advice)
In addition, some of the obligations under the 2001 clauses have been softened by the
2004 clauses, as the exporter will be required to respond to enquiries from individuals and
data protection authorities only if the importer has not agreed to do so, and confidential
information may be excluded from the copy of the clauses that must be made available to
individuals who request them.
182
European12
8/13/11
12:16 PM
Page 183
INTERNATIONAL DATA TRANSFERS
The 2004 clauses dealing with the importer’s obligations are very detailed and precise;
however, they are also more realistic than the 2001 clauses. For example, unlike under the
2001 clauses, a data importer that enters into an agreement containing the 2004 model
clauses will have to warrant and undertake that:
• It has appropriate technical and organisational security measures in place.
• It has procedures in place to ensure that any third party with access to the data (including data processors) will respect and maintain the confidentiality and security of
the data.
• It will identify to the data exporter a contact point within its organisation authorised to respond to enquiries concerning the processing of the personal data, and
will cooperate in good faith with the data exporter and the relevant individuals and
data protection authorities within a reasonable time.
• It will provide the data exporter with evidence of financial resources sufficient to
fulfil its responsibilities upon request.
• It will submit its data processing facilities, data files and relevant documentation for
reviewing, auditing and/or certifying by the data exporter (or any independent or
impartial inspection agents or auditors selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties
and undertakings under the agreement, with reasonable notice and during regular
business hours, if reasonably requested by the data exporter.
• It will not disclose or transfer the personal data to a third-party data controller located outside the European Economic Area, except in some specific cases.
One clause that was softened deals with the impact of local laws on the ability of the
data importer to comply with its data protection obligations. Under the 2004 clauses, the
data importer must warrant that, at the time of entering into the agreement with the data
exporter, it has no reason to believe in the existence of any local laws that would have a
substantial adverse effect on the guarantees provided, and that it will inform the data exporter (which will pass such notification on to the relevant data protection authority where
required) if it becomes aware of any such laws. However, even in this case, there is no provision that allows the exporter to suspend the transfer of data or terminate the contract, as
in the 2001 clauses.
Similarly, the 2004 clauses place a practical limitation on the right of access by allowing data importers to deny such access in cases where requests are manifestly abusive, or
unreasonably repetitive or frequent. The data processor can also deny access if it need not
be granted under the law of the country of the data exporter. In addition, provided that a
competent data protection authority has given its prior approval, access need not be
granted when doing so would be likely to seriously harm the interests of the data importer
183
European12
8/13/11
12:16 PM
Page 184
INTERNATIONAL DATA TRANSFERS
or other organisations dealing with the data importer and such interests are not overridden
by the interests for fundamental rights and freedoms of the individuals.
7. Data transfers within a multinational corporate group— Binding
Corporate Rules
The Article 29 Working Party developed the concept of ‘Binding Corporate Rules’ to
allow multinational corporations, international organizations and groups of companies to
make intra-organizational transfers of personal data across borders in compliance with EU
Data Protection Law.
7.1 BCR concept
Data exports within a multinational corporate group are subject to the same rules as exports outside the group. However, using ad hoc contractual arrangements is not a costeffective way of legitimising international transfers for data-reliant organisations operating
on a worldwide basis. For many global organisations, using personal data is all about sharing information beyond national borders and jurisdictional differences. Therefore, a flexible,
tailor-made solution that does away with the impracticalities of having to enter into innumerable contracts among subsidiaries is likely to be the only practical option.
In recent years, the EU data protection authorities have acknowledged the role of
Binding Corporate Rules (BCR) as a mechanism to legitimise data exports within a corporate group. In essence, a set of BCR is a global code of practice based on European privacy standards, which multinational organisations draw up and follow voluntarily and
national regulators approve in accordance with their own legislations.
The idea of using BCR to create adequate safeguards for the purposes of the EU Data
Protection Directive was devised by the Article 29 Working Party in its Working Document WP 74 adopted in 2003. To assist BCR candidates, in 2005 the Article 29 Working
Party developed a Model Checklist (WP 108). On the same date, the Working Party issued
a Working Document Setting Forth a Co-Operation Procedure for Issuing Common
Opinions on Adequate Safeguards Resulting from Binding Corporate Rules (WP 107). In
addition to setting out the criteria for choosing a lead data protection authority, this document set out the required process to be followed by the lead authority and the participating data protection authorities before issuing an authorisation.
In June 2008, the Working Party issued three additional documents that must be carefully considered when seeking to rely on BCR to legitimise data exports. These comprise a
table setting out the consolidated approval criteria for BCR (WP 153), a sample framework for the structure of the BCR (WP 154) and a set of frequently asked questions (WP
155). The most important of the three documents is undoubtedly WP 153. Although this
draws on existing Working Party papers (notably WP 74 and WP 108), it clarifies the specific elements that must be contained in the BCR documentation and provides a set of
clear criteria for approval.
184
European12
8/13/11
12:16 PM
Page 185
INTERNATIONAL DATA TRANSFERS
Since then, the EU data protection authorities have increased their level of cooperation to streamline the BCR approval process. This cooperation has led to the adoption of a
‘mutual recognition’ process that, at the time of writing, is supported by 19 EU member
states and shortens considerably the review of BCR applications. More recently, the Article
29 Working Party provided the strongest commitment to BCR via its submission to the
consultation on the EU Data Protection Directive, which suggests that a provision for
BCR should be further reinforced and included in any new legal framework so that BCR
is expressly recognised as an appropriate tool to provide adequate safeguards.
7.2 BCR practical requirements
The BCR must apply generally throughout the corporate group irrespective of the location of the members, the nationality of the individuals whose personal data is being
processed or any other criteria or consideration. The Article 29 Working Party also stresses
that two elements must be present in all cases if the BCR are to be used to adduce safeguards for data exports: binding nature and legal enforceability.
In practice, the binding nature of the BCR implies that the members of the corporate
group, as well as each employee within it, are compelled to comply with the BCR. Legal
enforceability means that the individuals covered by the scope of the BCR must become
third-party beneficiaries either by virtue of the relevant national law or by contractual
arrangements between the members of the corporate group. Those individuals should be
entitled to enforce compliance with the BCR by lodging a complaint before the competent data protection authority and before the courts.
In addition, the Working Party’s documents include the following requirements:
• The BCR must set up a system that guarantees awareness and implementation of
the BCR both inside and outside the EU.
• The BCR must provide for self-audits and/or external supervision by accredited auditors on a regular basis with direct reporting to the parent’s board.
• The BCR must set up a system by which individuals’ complaints are dealt with by a
clearly identified complaint-handling department.
• The BCR must contain clear duties of cooperation with data protection authorities
so individuals can benefit from the institutional support.
• The BCR must also contain provisions on liability and jurisdiction aimed at facilitating their practical exercise.
• The corporate group must accept that individuals will be entitled to take action
against the group as well as to choose the jurisdiction.
• Individuals must be made aware that personal data is being communicated to other
members of the corporate group outside the EU, and the existence and the content
of the BCR must be readily accessible to those individuals.
185
European12
8/13/11
12:16 PM
Page 186
INTERNATIONAL DATA TRANSFERS
In 2008, BCR came of age and established themselves as a viable solution for multinationals that are serious about privacy and data protection compliance. In addition to the
growing number of applications, several factors are evidence of this. One strong indicator is
that BCR was one of the top priorities for the Article 29 Working Party according to its
Work Programme for 2008. Moreover, in the past few years there has been a real change of
approach amongst EU data protection authorities, who are now very receptive to the use
of BCR to legitimise personal data exports.
8. Data transfers to service providers
On 27 December 2001, the European Commission adopted a second decision3 setting out
standard contractual clauses for the transfer of personal data to data processors established in
non-EEA countries that are not recognised as offering an adequate level of data protection.
Again, the inflexible nature of the original 2001 controller-to-processor clauses led to
a further proposal by the International Chamber of Commerce and on 5 February 2010,
the European Commission issued its decision, updating and replacing the original
controller-to-processor standard clauses with a new set of model clauses. As of 15 May
2010, EEA-based data controllers wishing to rely on standard contractual clauses to legitimise international data transfers to processors outside the EEA must use the updated
controller-to-processor clauses for new processing operations. This is not necessary for existing processing operations provided that the data processing operations remain unchanged. This means that material changes such as new countries where the processing
takes place, new types of personal data or different processing purposes are likely to require
a fresh contract.
The updated controller-to-processor clauses deserve some credit for recognising the
reality of modern outsourcing arrangements. They do so by legitimising the power of data
processors to subcontract and attempting to enable the effective use of the chain of service
providers performing different roles. However, the updated clauses retain the onerous obligations imposed on the exporter and the importer by the original controller-to-processor
clauses and set out unnecessarily strict rules concerning the processor’s ability to subcontract its services.
The exporter’s obligations include a warranty regarding ongoing compliance with the
exporter’s law, an implied assessment of the applicable security requirements and the provision of notice to individuals where the transfer involves sensitive personal data. The importer’s obligations retain the full severity of the original controller-to-processor clauses in
respect of adverse local legislation and audit rights.
In addition, the updated controller-to-processor clauses set out very strict rules concerning the processor’s ability to subcontract some of its services. The rules set out 13 conditions that must be met by the parties to make subprocessing lawful every time some
aspect of the outsourced service is handled by a subprocessor. These conditions are:
186
European12
8/13/11
12:16 PM
Page 187
INTERNATIONAL DATA TRANSFERS
• Before subcontracting any of its processing operations, the importer must inform the
data controller and obtain its written consent.
• The processor and subprocessor must enter into an agreement with the same obligations as the updated controller-to-processor clauses. This agreement must be sent to
the exporter and, where requested, made available to individuals.
• The importer must accept liability for the subprocessor’s actions whilst the subprocessor must remain subject to the third-party beneficiary clause and to the law of
the exporter.
• The exporter must keep a list of all the subprocessing agreements. That list must be
available to the data protection authority, who will also be entitled to audit the subprocessor.
• Finally, on termination, the subprocessor must return or destroy the data and allow
the controller to audit compliance with this obligation.
The step-by-step subcontracting process is so cumbersome that it hardly solves the
problem it was meant to address. Therefore, this approach is often not accepted by global
outsourcing vendors. In the context of complex data processing arrangements involving
chains of service providers, the step-by-step process is entirely at odds with the ability to
engage different providers for different aspects of the service without direct involvement of
the customer. Sophisticated organisations are therefore likely to move away from the standard contractual clauses and explore other, more suitable solutions.
9. Relying on derogations
The principle set out in Article 25 of the Directive is not absolute, as Article 26 includes a
number of so-called derogations that are subject to the domestic laws of member states.
9.1 Consent
Data exports can lawfully be made with the consent of the individual. Consent must still
be freely given and while it is possible to make consent a condition for the provision of a
nonessential service, consent is unlikely to be valid if the individual has no real choice. This
is particularly the case in the context of employment where, for instance, an existing employee is required to agree to the international transfer of personal data, and the penalty for
not agreeing is dismissal. Such ‘consent’ is likely invalid.
Consent must also still be specific and informed. This means that the individual must
know and understand what such consent will amount to. Individuals should be informed
of the reasons for the transfer and, if possible, the countries involved. In addition, any identified risks involved in the transfer should be brought to the individual’s attention.
187
European12
8/13/11
12:16 PM
Page 188
INTERNATIONAL DATA TRANSFERS
9.2 Contract performance
The Directive allows data transfers in cases where specific types of contracts are in place or
being contemplated. In the case of a contract between the exporter and the individual to
whom the data relates, a transfer may be carried out if such transfer is necessary for performance of the contract or is a necessary part of precontractual steps taken by the exporter at the request of the individual.
In the case of a contract between the exporter and someone other than the individual,
the transfer will be lawful if the contract is entered into at the individual’s request or in her
interests and the transfer is necessary for the performance or conclusion of the contract.
The contracts covered by these provisions are not restricted to the supply of goods or
services, and may apply in the case of employment contracts. However, whether a transfer
is necessary for the performance of a contract will depend on the nature of the goods or
services provided under the contract rather than the way in which the exporter’s operations are organised. In other words, a transfer is not necessary if the only reason for it is the
fact that the exporter has chosen to structure its operations in a way that involves transferring data overseas.
Therefore, if a customer books a holiday abroad through an EEA-based travel agent,
the travel agent must transfer the booking details to the foreign hotel in order to fulfil the
contract with the customer. However, if for pure efficiency or cost-cutting reasons that
travel agent decides to place its customer database in a computer based outside the EEA, it
cannot be said that the transfer of personal data to the computer located overseas is necessary for the performance of the contract with the customer.
9.3 Substantial public interest
Transfers can be carried out where necessary for reasons of substantial public interest. This
case is most likely to apply in situations where the transfer is necessary for reasons of crime
prevention and detection, national security and tax collection.
In the UK, the Information Commissioner advises data exporters intending to rely on
this exception to adopt a similar case-by-case test to that required by the general crime and
taxation exemption. In other words, a transfer of personal data carried out under this exception must take place only to the extent that there is likely to be substantial harm to the
public interest if the transfer does not take place.
9.4 Legal claims
Transfers can be made where they are necessary:
• in connection with any legal proceedings (including prospective proceedings);
• for obtaining legal advice; or
• for establishing, exercising or defending legal rights.
188
European12
8/13/11
12:16 PM
Page 189
INTERNATIONAL DATA TRANSFERS
It should be noted that the legal proceedings do not necessarily have to involve the
exporter or the individual in question, nor do the legal rights have to be those of the exporter or the individual.
9.5 Vital interests
Exports of personal data can lawfully be carried out where necessary to protect the vital
interests of the particular individual. In practice, this relates to matters of life and death,
such as the transfer of medical records of an individual who has become seriously ill or
been involved in a serious accident abroad.
9.6 Public registers
Exports of personal data can also be made from information available on a public register
provided that the person to whom the information is transferred complies with any restrictions on access to, or use of, the information in the register. This allows transfers of extracts
from a public register of directors, shareholders or professional practitioners, for example,
but would not allow transfers of the complete register. In addition, if there are conditions
of use imposed by the body or organisation responsible for compiling the register, they
must be honoured by the importer and any further recipients.
10. The future of the prohibition on international data transfers
Overcoming the prohibition under Article 25 of the Directive is one of the most difficult
compliance challenges faced by global organisations operating in the EU. As described
above, whilst this prohibition is not absolute, finding and implementing the right mechanism to ensure adequacy is likely to be onerous and time consuming. However, even in the
face of technological developments and greater globalisation, the appetite of the EU institutions for a softer approach in the foreseeable future is likely to be low.
Accordingly, and to ensure compliance, international organisations are strongly advised
to develop a viable global data protection compliance programme in line with the adequacy criteria devised by the European Commission and commit to abiding by it through
either a contractual mechanism or a set of BCR.
1 The
Eighth Data Protection Principle on international data transfers, 30 June 2006.
Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, Official Journal of the EU/Legislation (OJL) 181/19 of
4 July 2001.
3 Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the
transfer of personal data to processors established in third countries, OJ 6/52 of 10 January 2002.
2
189