Data transfer: do you know the law?

US companies know little about new data legislation, but if they break the law, so do you

US companies know little about new data legislation, but if they break the law, so do you

Although not a lot of people know it, data transfer outside Europe was made a criminal offence this year. Companies and their officers, including IT professionals with responsibility for data protection, commit a criminal offence if they breach the rules.

European law states that, with the exception of New Zealand, to transfer personal data (caches of e-mail addresses, customer databases, staff files etc.) outside the European Economic Area means getting the express consent of the data subjects, or getting a written agreement from the company to which you are transferring data that they will comply with European data protection law. This applies even between sister companies. Anything less is a criminal offence, which means that doing nothing is not an option.

The US has led the reaction to this and the good news is that on 1 November new rules called "Safe Harbor" came into play to allow personal data transfer to the US without specific consent from data subjects or a special data protection contract.

The new rules do not make all data transfer safe. First, the rules only apply in cases of transfer to the US. Second, unless you know that US companies accepting data have signed up to the new rules and are complying with them it puts you, the European company and key staff, in breach of the law.

Most US companies are unaware of the law or the new rules. It will be a case of you encouraging, educating and, at the extreme, refusing to transfer data unless US companies comply with the new rules.

For non-US companies, data subject consent or a special contract to deal with data protection remain the only choices.

The best way to flush out whether non European companies know about the rules is to ask them. In a supply contract, add a warranty that they comply and see what reaction you get.

What you should do

  • If there are US offices to which you transfer data, make sure they are aware of the new rules. US offices should bring themselves within the new rules, wherever possible

  • If your Web site is hosted in the US, make sure the host company is aware of the new rules and brings themselves within them

    Before dealing with any non-European based business, make sure that:

  • All data subjects have consented to their data being disclosed outside Europe (a tick box on forms or on the relevant Web page); orin the sale/transfer agreements that the data purchaser will abide by the terms of the UK Data Protection Act 1998 or, in the case of a US purchaser, has signed up to and complies with Safe Harbor

  • You have executed a contract in the model form from the European Data Protection Authorities (available on their Web site at

    nThere is an indemnity from the purchaser or accepter of European data for breach of data protection laws

    The rules for the US

    The new rules are about more than signing up to a code. Internal practices within the US company must protect rights of privacy, as set down in the Safe Harbor Resolution. US companies must either:

  • Adopt a self-regulatory privacy programme, as set down in the resolution

  • Use a programme already created for them for example by their trade organisation

  • Develop their own privacy programme. The outline of the privacy programme must include very similar rules to the privacy programmes with which European companies must comply under the law here

    If you would like further information on what to do to comply with the law, or any comments on how these rules are working in your dealings with non-European companies, please contact [email protected]

  • Read more on IT risk management