TRANSBORDER DATA FLOWS AND THE DPA

The eighth data protection principle implements the prohibition against the transfer of personal data to non-adequate countries contained in Article 25 of the Data Protection Directive. The eighth data protection principle says:

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


The adequacy test set out in Article 25.2. of the Directive is implemented in the interpretation contained in Schedule 1, Part II of the DPA. This says:

13. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to –

  1. the nature of the personal data,

  2. the country or territory of origin of the information contained in the data,

  3. the country or territory of final destination of that information,

  4. the purposes for which and period during which the data are intended to be processed,

  5. the law in force in the country or territory in question,

  6. the international obligations of that country or territory,

  7. any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

  8. any security measures taken in respect of the data in that country or territory.


The interpretation also deals with ‘Community findings’ under Article 25.4. and Article 25.6. of the Directive. To recap, these articles give the European Commission the power to find that countries outside the EEA do not, or do, provide adequate protection. The effect of the interpretation is to make clear that European Commission decisions on adequacy of third countries are binding within the UK. The interpretation says:

15. – (1) Where –

  1. in any proceedings under this Act any question arises as to whether the requirement of the eighth principle as to an adequate level of protection is met in relation to the transfer of any personal data to a country or territory outside the European Economic Area, and

  2. a Community finding has been made in relation to transfers of the kind in question, that question is to be determined in accordance with that finding.


The derogations found in Article 26 of the Data Protection Directive are found in Schedule 4 to the DPA. This says that the eighth data protection does not apply in the following cases:

  1. The data subject has given his consent to the transfer.

  2. The transfer is necessary –

    1. for the performance of a contract between the data subject and the data controller, or

    2. for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.

  3. The transfer is necessary –

    1. for the conclusion of a contract between the data controller and a person other than the data subject which –

      1. is entered into at the request of the data subject, or

      2. is in the interests of the data subject, or

    2. for the performance of such a contract.

  4. – (1) The transfer is necessary for reasons of substantial public interest.

    (2) The Secretary of State may by order specify –

    1. circumstances in which a transfer is to be taken for the purposes of sub-paragraph (1) to be necessary for reasons of substantial public interest, and

    2. circumstances in which a transfer which is not required by or under an enactment is not to be taken for the purpose of sub-paragraph (1) to be necessary for reasons of substantial public interest.

  5. The transfer –

    1. is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

    2. is necessary for the purpose of obtaining legal advice, or

    3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

  6. The transfer is necessary in order to protect the vital interests of the data subject.

  7. The transfer is of part of the personal data on a public register and any conditions subject to which the register is open to inspection are complied with by any person to whom the data are or may be disclosed after the transfer.

  8. The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.

  9. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.


The eighth and ninth derogations implement the Member State powers set out in Article 26.2. of the Directive, which allows Member States to authorize transfers to non-adequate countries where the data controller adduces adequate safeguards, which can be contained in contractual clauses. This gives the Information Commissioner the power to give approvals, even contractual approvals that are different to those in the European Commission’s decisions on model contractual clauses. However, the Information Commissioner’s power is weakened by the fact that they are obliged to comply with any decisions of the Commission on derogations. This is the effect of Article 26.3. and Article 26.4. of the Data Protection Directive, implemented by section 54(6) of the DPA:

Where the European Commission makes a decision for the purposes of Article 26(3) or (4) of the Data Protection Directive under the procedure provided for in Article 31(2) of the Directive, the Commissioner shall comply with that decision in exercising his functions under paragraph 9 of Schedule 4 or, as the case may be, paragraph 8 of that Schedule.


The extent of harmonization

Due the importance of the subject matter and the structure of the Data Protection Directive, national laws on transborder data flows can be considered to be the most harmonized of all of the provisions in the Directive. The importance of the structure of the Data Protection Directive cannot be overlooked. It gives significant powers to the EC, which derives assistance from the Article 29 Working Party. The Article 29 Working Party itself consists of the NSAs and representatives from the EC institutions, which means that there is close cooperation between Member States and the EC in the development of rules governing transborder data flows. This is a very dynamic arrangement that has already produced significant results.

The harmonization process is further accelerated in this area as the European Commission has retained for itself many very important powers over the Member States. These powers are:

  • The European Commission will inform Member States of any cases where it considers that a third country does not provide adequate protection, which is a highly persuasive authority for the Member States and which helps to shape and mould national positions (Article 25.3.).

  • The European Commission may make a finding that a third country does not provide adequate protection. This power is significantly greater that the obligation to inform the Member States of cases where the European Commission considers that a third country does not provide adequate protection, because where a finding of non-adequacy is made (which is a ‘Community finding’) the Member States are obliged to prevent transfers (Article 25.4.).

  • The European Commission also has the sole right to enter into negotiations with countries that it decides are not adequate (Article 25.5.). Again, this gives the European Commission major influence due to it being in control over a heavily political subject.

  • The European Commission may make a finding that a third country is adequate (which is another ‘Community finding’), which is binding on Member States (Article 25.6.).

  • The European Commission may object to authorizations given by Member States under Article 26.2. It if does object, it is required to take ‘appropriate measures’ and any resulting decision is binding on the Member States (Article 26.3.).

  • The European Commission may approve standard contractual clauses. These approvals are binding on the Member States (Article 26.4.).

These powers effectively give the European Commission complete control over the development of laws governing transborder data flows. While the Member States retain residual powers to grant authorizations by way of derogation, to all intents and purposes the European Commission has a right of veto over Member States’ decisions.

The Information Commissioner and transborder data flows

The Information Commissioner has issued three authorizations under Schedule 4, paragraph 9 of the DPA.151 The first authorization, dated 21 December 2001, authorizes exports to data controllers in non-adequate countries where the European Commission’s standard contractual clauses are used. The second authorization, dated 18 March 2003, authorizes transfers to data processors in non-adequate countries where the Commission’s standard contractual clauses are used. The third authorization, dated 27 May 2005, authorizes data exports to data controllers in non-adequate countries where the European Commission’s alternative set of standard contractual clauses are used. The Information Commissioner has not approved the use of any standard contractual clauses other than those adopted by the European Commission.

The Information Commissioner has authorized the use of BCR by General Electric Company. This authorization was made on 15 December 2005.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.170.187