Website operators commonly transfer the personal data of their users overseas. However, the UK's Data Protection Act 1998 expressly restricts certain transfers of personal data outside the European Economic Area : “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
This is known as the Eighth Data Protection Principle.
The Information Commissioner recommends a 4 stage approach to analysing such personal data transfers: first, is the transfer a “transfer of data to a third country”; second, is there an “adequate level of protection”; third, have the parties put in place “adequate safeguards”; and fourth, do any of the “other derogations” from the general principle apply.
Transfer of data to a third country
The EEA consists of the EU plus Iceland, Liechtenstein and Norway. Transfer is to be distinguished from transit: there will be no transfer of personal data where it merely passes through one jurisdiction on its way to another jurisdiction. In the context of websites, there will be a transfer (or transfers) of personal data outside the EEA where: - personal profile information will be published on the internet around the world (e.g. on social networking sites, auction sites, dating sites) – see Lindqvist v Kammaraklagaren (2003); - where a website collecting and/or hosting the personal data of EEA nationals is hosted outside the EEA; - where a website passes personal information to marketing affiliates outside the EEA. Obviously, this list isn't exhaustive.
Adequate level of protection
A range of different factors may be taken into account in determining whether the level of protection offered by a country or territory is adequate. These include: the nature of the personal data, the country or territory of origin of the information contained in the data, the country or territory of final destination of that information, the purposes for which and period during which the data are intended to be processed, the law in force in the country or territory in question, the international obligations of that country or territory, any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and any security measures taken in respect of the data in that country or territory.
Very few countries have been deemed by the European Commission to offer an “adequate level of protection”. At the date of writing, only Argentina, Canada, Guernsey, the Isle of Man and Switzerland are considered to offer such protection. In addition, the Commission has recognised that US companies that sign up to the US Department of Commerce's Safe Harbor principles offer an adequate level of protection. In any particular case, a the data controller transferring personal data outside the EEA may be expected to demonstrate having made an analysis of the relevant factors, and having concluded that protection was adequate.
Where a data controller is not satisfied as to the adequacy of the level of protection in the country of destination, then it may still transfer the personal data if it uses the “model clauses” or “binding corporate rules” approved by the European Commission. The binding corporate rules are only applicable to intra-group transfers. The model clauses may be suitable for individually negotiated hosting or affiliate arrangements, but will be of no use where the data controller is contracting on the data processor's standard terms - are in any case they generally considered to be unwieldy.
There are also a number of exceptions to the general prohibition, some of which may apply in the case of personal data processed by website owners: - the data subject has given his consent to the transfer. - the transfer is necessary (a) for the performance of a contract between the data subject and the data controller, or (b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller. - the transfer is necessary (a) for the conclusion of a contract between the data controller and a person other than the data subject which— (i) is entered into at the request of the data subject, or (ii) is in the interests of the data subject, or (b) for the performance of such a contract.
If a website owner is to justify a transfer on the grounds of consent, that consent must be fully informed and freely given. Data subjects must, according to the Information Commissioner's guidance, have a real opportunity of withholding that consent without suffering any penalty, and must be able to withdraw that consent at a later date if they change their minds. As the Information Commissioner notes: “For these reasons, consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or structural transfers of data to a third country. The other two relevant derogations both use the concept of “necessity”. This may be a difficult test to meet.
Examples of application
Websites, such as social networking sites, auction sites, and dating sites, which allow users to publish their personal information on the internet may be best served by seeking to rely upon the derogation which allows transfers which are necessary for the performance of a contract between the data subject and the data controller. A key question will be whether the transfer is really “necessary”. For instance, it might be argued that it is not “necessary” for an auction site which is focused only on the UK to publish the personal information of individuals outside the EEA. If relying upon this derogation, the website owner will want to make certain that there is in fact a “contract” of some kind in place (not merely a licence to use the website).
Website owners who are thinking of having sites (which process personal data) hosted outside the EEA will not be able to rely upon that “necessary for contract” derogation, nor will they be able to rely upon a consent derogation (unless they also maintain special hosting facilities within the EEA for users who do not consent!). Instead, they should seek to ensure – one way or another – that the destination offers an adequate level of protection or that adequate safeguards are in place.
The application of the Eighth Data Protection Principle is (some might say, needlessly) complicated. If you are in doubt about a particular issue of data protection law you should consider contacting the information Commissioner's office or seeking professional advice. Please note that this post is grounded in the UK approach to data protection law, and the approaches of other EEA states will vary.