There have been significant developments for trans-border data flows since 1 March 2000 when the Data Protection Act came into force. The Act implements the European Union's Data Protection Directive and has imposed a strict regime for processing personal data, a breach of which could lead to prosecution.
The eighth data protection principle sets out requirements for the transfer of data outside the EU. It prohibits transfer of personal data "to a country outside the European Economic Area (EEA), unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data".
How do you assess "adequate" protection?
The UK Data Protection Commissioner, her equivalents in other EU states, the European Commission and the US government have been debating this for more than two years. The Commissioner has published guidance for people, known as exporting controllers, who control the transfer of data to a destination country. They should check:
Where there is no presumption of adequacy, the UK exporting controller will need to look closely at the data transfer and adopt the "Adequacy Test" proposed by the Commissioner.
The Act also lists some exceptions. One of these is where a transfer can be made without meeting the requirements of the eighth principle, for example if you are buying a product from a US Web site and need to give your name and address to enable delivery.
The Safe Harbour Principles
These principles streamline the different privacy approaches of US organisations to comply with requirements of the directive and were ratified on 27 July 2000. US organisations signing up to the principles will be presumed to have an adequate level of protection to sustain and encourage data flows from the EU.
The principles can only be adopted where the directive is not applicable.
US organisations will have to:
The requirements for transfer of personal data outside the EU will continue to progress to comply with the data protection regime.
It is vital to get this right to ensure that business will flourish where there are trans-border data flows, whilst protecting the rights and freedoms of individuals.