Developments in technology and the global nature of business means that personal information about individuals in the UK may often be processed overseas, frequently without the explicit knowledge or consent of those individuals. This raises issues such as the security of such data, who may have access to it and for what purposes and what rights the individual may have to object. The Data Protection Act 1998 provides a standard of protection for personal data, including in respect of personal data that is being transferred outside of the UK. Chapter 18 focus on how a UK data controller (the organisation that controls how and why personal data is processed and is therefore legally responsible for compliance) can fulfil its business and operational requirements in transferring personal data outside the EEA, whilst ensuring legal compliance.
TopIntroduction
Businesses increasingly operate on an international basis both internally with global group structures and externally with networks of customers and suppliers. This is facilitated by the Internet and information communication technologies which allow the quick and easy transmission of data across national boundaries, and technologies that allow the increasingly complex and cheap collection, storage, use and disclosure of data. The combination of these factors means that personal information about individuals in the UK may often be processed overseas, frequently without the explicit knowledge or consent of those individuals. This raises issues such as the security of such data, who may have access to it and for what purposes and what rights the individual may have to object.
Europe has a long history of data protection and has traditionally been seen as having a higher standard than the rest of the world. European data protection legislation therefore builds in a standard of protection for personal data that is being transferred outside of the UK. In the UK this protection comes from the Data Protection Act 1998 (the “DPA”), primarily the eighth data protection principle in that Act.
This chapter will address the position in the UK by reference to the DPA, principally the eighth data protection principle. The chapter will then focus on how a UK data controller (the organisation that controls how and why personal data is processed and is therefore legally responsible for compliance) can fulfil its business and operational requirements in transferring personal data outside the EEA, whilst ensuring legal compliance including options such as:
- •
relying on the findings of adequacy by the European Commission;
- •
relying on the EU/US Safe Harbor deal;
- •
using the EU model clauses;
- •
using Binding Corporate Rules; and
- •
relying on one of the exemptions in Schedule 4 of the DPA.
This chapter is based on the law as at 1 July 2009.
TopTransfers Into The Uk
This chapter addresses transfers of personal data from the UK, but in a global business UK data controllers may also receive personal data from overseas. Some issues to consider in this scenario include: