Data transfer across borders: falling in line with changes in the law

What is the 'eighth principle? How could failing to comply with it affect your business?

What is the 'eighth principle? How could failing to comply with it affect your business?

There have been significant developments for trans-border data flows since 1 March 2000 when the Data Protection Act came into force. The Act implements the European Union's Data Protection Directive and has imposed a strict regime for processing personal data, a breach of which could lead to prosecution.

The eighth data protection principle sets out requirements for the transfer of data outside the EU. It prohibits transfer of personal data "to a country outside the European Economic Area (EEA), unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data".

How do you assess "adequate" protection?

The UK Data Protection Commissioner, her equivalents in other EU states, the European Commission and the US government have been debating this for more than two years. The Commissioner has published guidance for people, known as exporting controllers, who control the transfer of data to a destination country. They should check:

  • If it is a transfer of data, where transfer has its ordinary meaning and does not include "transit". Personal data on a Web site will be transferred to the country from which it is accessed

  • If the destination country is inside the EEA, in which case the transfer will not be caught by the requirements of the eighth principle although countries may have other rules for exporters to comply with

  • If there is a presumption of adequacy. The EC publishes a report on non-EEA countries which have an adequate level of protection and has reached agreements with some countries, such as the Safe Harbour Principles with the US.

    Where there is no presumption of adequacy, the UK exporting controller will need to look closely at the data transfer and adopt the "Adequacy Test" proposed by the Commissioner.

    The Act also lists some exceptions. One of these is where a transfer can be made without meeting the requirements of the eighth principle, for example if you are buying a product from a US Web site and need to give your name and address to enable delivery.

    The Safe Harbour Principles

    These principles streamline the different privacy approaches of US organisations to comply with requirements of the directive and were ratified on 27 July 2000. US organisations signing up to the principles will be presumed to have an adequate level of protection to sustain and encourage data flows from the EU.

    The principles can only be adopted where the directive is not applicable.

    US organisations will have to:

  • Adopt standards for data protection and privacy. They need to participate in an industry programme

  • Having met the minimum standards, the US organisation must certify itself to indicate its compliance

  • Be listed by the US Department of Commerce on its Web site. Regulation of organisations will be by a statutory body.

    The requirements for transfer of personal data outside the EU will continue to progress to comply with the data protection regime.

    It is vital to get this right to ensure that business will flourish where there are trans-border data flows, whilst protecting the rights and freedoms of individuals.

    Usha Jagessar and Catherine Hamilton work at DLA. Contact them on 08700-111 111 or e-mail [email protected], [email protected]

  • Read more on IT legislation and regulation