Although not a lot of people know it, data transfer outside Europe was made a criminal offence this year. Companies and their officers, including IT professionals with responsibility for data protection, commit a criminal offence if they breach the rules.
European law states that, with the exception of New Zealand, to transfer personal data (caches of e-mail addresses, customer databases, staff files etc.) outside the European Economic Area means getting the express consent of the data subjects, or getting a written agreement from the company to which you are transferring data that they will comply with European data protection law. This applies even between sister companies. Anything less is a criminal offence, which means that doing nothing is not an option.
The US has led the reaction to this and the good news is that on 1 November new rules called "Safe Harbor" came into play to allow personal data transfer to the US without specific consent from data subjects or a special data protection contract.
The new rules do not make all data transfer safe. First, the rules only apply in cases of transfer to the US. Second, unless you know that US companies accepting data have signed up to the new rules and are complying with them it puts you, the European company and key staff, in breach of the law.
Most US companies are unaware of the law or the new rules. It will be a case of you encouraging, educating and, at the extreme, refusing to transfer data unless US companies comply with the new rules.
For non-US companies, data subject consent or a special contract to deal with data protection remain the only choices.
The best way to flush out whether non European companies know about the rules is to ask them. In a supply contract, add a warranty that they comply and see what reaction you get.
What you should do
Before dealing with any non-European based business, make sure that:
nThere is an indemnity from the purchaser or accepter of European data for breach of data protection laws
The rules for the US
The new rules are about more than signing up to a code. Internal practices within the US company must protect rights of privacy, as set down in the Safe Harbor Resolution. US companies must either:
If you would like further information on what to do to comply with the law, or any comments on how these rules are working in your dealings with non-European companies, please contact email@example.com
This was first published in November 2000