Website operators commonly transfer the personal data of their users overseas. However, the UK’s Data Protection Act 1998 expressly restricts certain transfers of personal data outside the European Economic Area : “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
This is known as the Eighth Data Protection Principle.
The Information Commissioner recommends a 4 stage approach to analysing such personal data transfers: first, is the transfer a “transfer of data to a third country”; second, is there an “adequate level of protection”; third, have the parties put in place “adequate safeguards”; and fourth, do any of the “other derogations” from the general principle apply.
Transfer of data to a third country
The EEA consists of the EU plus Iceland, Liechtenstein and Norway. Transfer is to be distinguished from transit: there will be no transfer of personal data where it merely passes through one jurisdiction on its way to another jurisdiction. In the context of websites, there will be a transfer (or transfers) of personal data outside the EEA where: – personal profile information will be published on the internet around the world (e.g. on social networking sites, auction sites, dating sites) – see Lindqvist v Kammaraklagaren (2003); – where a website collecting and/or hosting the personal data of EEA nationals is hosted outside the EEA; – where a website passes personal information to marketing affiliates outside the EEA. Obviously, this list isn’t exhaustive.
Adequate level of protection
A range of different factors may be taken into account in determining whether the level of protection offered by a country or territory is adequate. These include: the nature of the personal data, the country or territory of origin of the information contained in the data, the country or territory of final destination of that information, the purposes for which and period during which the data are intended to be processed, the law in force in the country or territory in question, the international obligations of that country or territory, any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and any security measures taken in respect of the data in that country or territory.
Very few countries have been deemed by the European Commission to offer an “adequate level of protection”. At the date of writing, only Argentina, Canada, Guernsey, the Isle of Man and Switzerland are considered to offer such protection. In addition, the Commission has recognised that US companies that sign up to the US Department of Commerce’s Safe Harbor principles offer an adequate level of protection. In any particular case, a the data controller transferring personal data outside the EEA may be expected to demonstrate having made an analysis of the relevant factors, and having concluded that protection was adequate.
Adequate safeguards
Where a data controller is not satisfied as to the adequacy of the level of protection in the country of destination, then it may still transfer the personal data if it uses the “model clauses” or “binding corporate rules” approved by the European Commission. The binding corporate rules are only applicable to intra-group transfers. The model clauses may be suitable for individually negotiated hosting or affiliate arrangements, but will be of no use where the data controller is contracting on the data processor’s standard terms – are in any case they generally considered to be unwieldy.
Other derogations
There are also a number of exceptions to the general prohibition, some of which may apply in the case of personal data processed by website owners: – the data subject has given his consent to the transfer. – the transfer is necessary (a) for the performance of a contract between the data subject and the data controller, or (b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller. – the transfer is necessary (a) for the conclusion of a contract between the data controller and a person other than the data subject which— (i) is entered into at the request of the data subject, or (ii) is in the interests of the data subject, or (b) for the performance of such a contract.
If a website owner is to justify a transfer on the grounds of consent, that consent must be fully informed and freely given. Data subjects must, according to the Information Commissioner’s guidance, have a real opportunity of withholding that consent without suffering any penalty, and must be able to withdraw that consent at a later date if they change their minds. As the Information Commissioner notes: “For these reasons, consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or structural transfers of data to a third country. The other two relevant derogations both use the concept of “necessity”. This may be a difficult test to meet.
Examples of application
Websites, such as social networking sites, auction sites, and dating sites, which allow users to publish their personal information on the internet may be best served by seeking to rely upon the derogation which allows transfers which are necessary for the performance of a contract between the data subject and the data controller. A key question will be whether the transfer is really “necessary”. For instance, it might be argued that it is not “necessary” for an auction site which is focused only on the UK to publish the personal information of individuals outside the EEA. If relying upon this derogation, the website owner will want to make certain that there is in fact a “contract” of some kind in place (not merely a licence to use the website).
Website owners who are thinking of having sites (which process personal data) hosted outside the EEA will not be able to rely upon that “necessary for contract” derogation, nor will they be able to rely upon a consent derogation (unless they also maintain special hosting facilities within the EEA for users who do not consent!). Instead, they should seek to ensure – one way or another – that the destination offers an adequate level of protection or that adequate safeguards are in place.
Caveats
The application of the Eighth Data Protection Principle is (some might say, needlessly) complicated. If you are in doubt about a particular issue of data protection law you should consider contacting the information Commissioner’s office or seeking professional advice. Please note that this post is grounded in the UK approach to data protection law, and the approaches of other EEA states will vary.
This subject is a tricky one if only for the grey areas that it leaves unclarified.
I’m thinking about all those thousands, perhaps millions, of websites employing a commented blog system — much like this one, in fact. Here I am, leaving a comment at the end of this blog entry. I’ve just given my first name but I could just as easily have used my full name. I’ve supplied an email address and a web site URL.
Now, would that be considered to be Personal Data and thus fall under the scope of the DPA? Could I be identified from that information? Probably, if you cross reference my first name with a visit to the URL, even without the email address (which is not published). So it could be argued that Personal Data is being published to a web page. And if I were to access that page from inside, say, the US, that would therefore constitute a breach of the DPA. As would the web sites of every single UK company that employs a blog and permits a similar commenting system.
The situation is clearly ludicrous. Since the database that drives the site would also store my email address, it would presumably be considered illegal for the site owner to consider using a web host based in the USA. Or would it?
If a web-based database is storing medical records or credit card numbers linked to names and addresses then of course the legal situation is pretty clear cut. But the far more common situation of a company blog with comments described above is far greyer and without clarification a lot of people will have no idea whether or not they are in breach of the DPA.
Consent is often the key to international transfers of personal data, and I think it applies here. When you posted the comment, you understood that it would be pubished on the website, and that the website could be viewed from anywhere. In this way, you consented to the international transfer of any personal data.
The position re hosting is a bit more difficult. Where we have used US-based service providers in the past, we have always made sure that they were signed up to the EU/FTC Safe Harbor scheme.