The eighth data protection principle implements the prohibition against the transfer of personal data to non-adequate countries contained in Article 25 of the Data Protection Directive. The eighth data protection principle says:
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. |
The adequacy test set out in Article 25.2. of the Directive is implemented in the interpretation contained in Schedule 1, Part II of the DPA. This says:
13. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to –
|
The interpretation also deals with ‘Community findings’ under Article 25.4. and Article 25.6. of the Directive. To recap, these articles give the European Commission the power to find that countries outside the EEA do not, or do, provide adequate protection. The effect of the interpretation is to make clear that European Commission decisions on adequacy of third countries are binding within the UK. The interpretation says:
15. – (1) Where –
|
The derogations found in Article 26 of the Data Protection Directive are found in Schedule 4 to the DPA. This says that the eighth data protection does not apply in the following cases:
|
The eighth and ninth derogations implement the Member State powers set out in Article 26.2. of the Directive, which allows Member States to authorize transfers to non-adequate countries where the data controller adduces adequate safeguards, which can be contained in contractual clauses. This gives the Information Commissioner the power to give approvals, even contractual approvals that are different to those in the European Commission’s decisions on model contractual clauses. However, the Information Commissioner’s power is weakened by the fact that they are obliged to comply with any decisions of the Commission on derogations. This is the effect of Article 26.3. and Article 26.4. of the Data Protection Directive, implemented by section 54(6) of the DPA:
Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule. |
Due the importance of the subject matter and the structure of the Data Protection Directive, national laws on transborder data flows can be considered to be the most harmonized of all of the provisions in the Directive. The importance of the structure of the Data Protection Directive cannot be overlooked. It gives significant powers to the EC, which derives assistance from the Article 29 Working Party. The Article 29 Working Party itself consists of the NSAs and representatives from the EC institutions, which means that there is close cooperation between Member States and the EC in the development of rules governing transborder data flows. This is a very dynamic arrangement that has already produced significant results.
The harmonization process is further accelerated in this area as the European Commission has retained for itself many very important powers over the Member States. These powers are:
The European Commission will inform Member States of any cases where it considers that a third country does not provide adequate protection, which is a highly persuasive authority for the Member States and which helps to shape and mould national positions (Article 25.3.).
The European Commission may make a finding that a third country does not provide adequate protection. This power is significantly greater that the obligation to inform the Member States of cases where the European Commission considers that a third country does not provide adequate protection, because where a finding of non-adequacy is made (which is a ‘Community finding’) the Member States are obliged to prevent transfers (Article 25.4.).
The European Commission also has the sole right to enter into negotiations with countries that it decides are not adequate (Article 25.5.). Again, this gives the European Commission major influence due to it being in control over a heavily political subject.
The European Commission may make a finding that a third country is adequate (which is another ‘Community finding’), which is binding on Member States (Article 25.6.).
The European Commission may object to authorizations given by Member States under Article 26.2. It if does object, it is required to take ‘appropriate measures’ and any resulting decision is binding on the Member States (Article 26.3.).
The European Commission may approve standard contractual clauses. These approvals are binding on the Member States (Article 26.4.).
These powers effectively give the European Commission complete control over the development of laws governing transborder data flows. While the Member States retain residual powers to grant authorizations by way of derogation, to all intents and purposes the European Commission has a right of veto over Member States’ decisions.
The Information Commissioner has issued three authorizations under Schedule 4, paragraph 9 of the DPA.151 The first authorization, dated 21 December 2001, authorizes exports to data controllers in non-adequate countries where the European Commission’s standard contractual clauses are used. The second authorization, dated 18 March 2003, authorizes transfers to data processors in non-adequate countries where the Commission’s standard contractual clauses are used. The third authorization, dated 27 May 2005, authorizes data exports to data controllers in non-adequate countries where the European Commission’s alternative set of standard contractual clauses are used. The Information Commissioner has not approved the use of any standard contractual clauses other than those adopted by the European Commission.
The Information Commissioner has authorized the use of BCR by General Electric Company. This authorization was made on 15 December 2005.
18.226.170.187