Introduction to overseas transfers of personal data

Businesses increasingly operate on an international basis both internally within global group structures and externally with networks of customers and suppliers. This is facilitated by the internet which allows the quick and easy transmission of data across national boundaries and technologies that allow the increasingly complex and cheap collection, storage, use and disclosure of data. The combination of these factors means that personal information about individuals in the UK may often be processed overseas, frequently without the explicit knowledge or consent of those individuals. This raises issues such as the security of such data, who may have access to it and for what purposes and what rights the individual may have to object.

Europe has a long history of data protection and has traditionally been seen as having a higher standard than the rest of the world. European data protection legislation therefore builds in a standard of protection for personal data that is being transferred outside of Europe. In the UK this protection comes from the Data Protection Act 1998 (the 'Act'), primarily the last of eight Principles set by the Act, Principle 8.

However there is an issue as to whether the legislation has been overtaken by commercial and technological advances and whether the overseas transfer requirements in fact place unreasonable and unrealistic demands on organisations that transfer data overseas. But until any changes are made, organisations must fit within the current compliance regime.

The primary legal provision is Principle 8 of the Act which states that,

"Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

However, other principles and provisions of the Act are relevant when looking at overseas transfers. For example, Principle 1 requires a data controller to provide information to individuals about the processing of personal data about them. This can include telling people that information about them will go overseas. Principle 7 requires appropriate technical and organisational security measures to be in place to protect data, including ensuring the reliability of staff and having written contracts in place with any data processors (suppliers/providers acting on behalf of a data controller in processing personal information). Compliance with the Act should be considered as a whole.

Conversely, Principle 8 only applies to transfers from a European country to a country outside the European Economic Area ('EEA') (the European member states plus Norway, Iceland and Lichtenstein) but for any other use or disclosure or transfer of personal data, although there is no Principle 8 issue, the rest of the principles still apply.

Alongside compliance, organisations should consider commercial and reputational risks. Banks and call centres are regularly being criticised for lack of security in the protection of personal data; employers transferring data to an overseas head office frequently face queries and objections from staff. Properly implementing a compliance process for overseas transfers can involve a business in time and effort and in the management of customer/employee expectations and concerns, but, in view of the damage that can be done from adverse publicity whether external or internal, compliance is well worth the investment.

Is there an international transfer of personal data from the UK?

Before considering the regulatory and compliance issues in relation to international data transfers, the first question is "whether a transfer of personal data is taking place". If personal data merely transits through another country it may not be considered to be transferred there. Guidance from the Information Commissioner, the data protection regulator, suggests that a transfer involves a transmission from one place or person to another, and whilst it recognises that for electronic transfers the data may not physically move, but rather is copied, it is quite clear that a transfer comprises more than simply a routing of data through a third country on its way from the UK to another European country.

This issue was considered by the European Court of Justice when Mrs Lindqvist, an active member of her local church in Sweden, set up an internet home page as part of a computer course and chose to create a site giving information to church parishioners. The site included names, telephone numbers and references to hobbies and jobs held by Mrs Lindqvist and her fellow parishioners.

Whilst the court held that posting information on a website did constitute the processing of personal data as covered by the data protection legislation, it found that this did not constitute an overseas transfer of such personal data, where the site was hosted by a national ISP. It reasoned that the Directive could not be construed as intending the expression "transfer of data to a third country" to cover the loading of data onto an internet page, even though this resulted in data being made accessible to persons in other countries.

However, the UK Information Commissioner has suggested that the intention of the person uploading the data is an important consideration and that in practice as data are often loaded onto the internet with the intention that they will be accessed across the world there will usually be a transfer and the Lindqvist principle will not apply. In Mrs Lindqvist's case this did not affect her as she had no intention that the information would be accessed overseas, it was a local initiative. But, though the legal position is unclear, for most global organisations who do intend their websites to be accessed by anyone anywhere in the world, if they post personal data it is more likely that they are intentionally making a transfer overseas and Principle 8 applies.

What about transfers into the UK?

This series of articles address transfers of personal data from the UK. But in a global business UK data controllers may also receive personal data from overseas. Some issues to consider in this scenario include:

• Is the UK entity only acting as a data processor on behalf of the overseas entity? If so, the overseas entity may wish to impose contractual obligations on the UK entity but, if the UK entity has no control over how and why the data are to be processed, it will not become a UK data controller with compliance obligations.
• If the UK entity does exercise control over the processing of the data, is the overseas entity complying with the laws of its own country? Are there any restrictions on transfer from that country? Whilst this may not directly affect the UK data controller, it is possible that it will not be obtaining the data fairly and lawfully under the Act if it is aware that this is in breach of overseas legislation.
• Similarly, will the UK data controller be using the data in a way compatible with the purposes for which it was originally collected? Again, it may be considered unfair under the Act to use the data for purposes not expected by the individuals.

A UK data controller should seek advice and carry out due diligence if it is importing data from overseas.

Enforcement

In the UK, the Information Commissioner is responsible for enforcing the Act. Generally, compliance issues come to light when an individual complains to the Information Commissioner. The Information Commissioner will carry out an investigation which may involve contacting the organisation and requiring further information. The Information Commissioner can issue an enforcement notice for non-compliance. Failure to comply with an enforcement notice is a criminal offence which can lead to a fine of up to £5,000 in the magistrate's court – both the organisation itself and its directors or officers can be liable.

An issue recently reported in the media was the case of SWIFT, the Belgium-based bank transfer organisation. Complaints were made that SWIFT broke privacy laws (in this case in Belgium) firstly by storing data about European banking transactions in a data centre un the United states without informing the European data subjects, and secondly for allowing US security agencies access to those transaction details. This has lead to a wider compliance issue for UK banks who may also allow US security agencies access to transaction details for anti-terror investigations. Banks have written to customers to explain that this may happen and have been in discussions with the Information Commissioner and enforcement action in the UK is not currently envisaged, although the situation could change.

It is important for any organisation to keep abreast of compliance issues, guidance from the Information Commissioner and best practice and to bear in mind that even without formal enforcement action, protecting reputation can be equally as important.

Options for Principle 8 compliance

If you have established that there is a transfer of personal data from the UK, the next step is to look at the grounds for making the transfer.
The grounds on which a transfer may be made to be compliant with Principle 8 can be viewed in three groups: the regimes established by the regulators; the statutory exemptions to the Principle 8 prohibition; and the data controller's own finding of adequacy. Each of these groups is considered in more detail below.

Regimes established by the regulators

Findings of adequacy by the European Commission

The European Commission undertakes a process of investigating the data protection legislation and regimes of certain countries outside the EEA. Its conclusions as to whether countries outside the EEA ensure an adequate level of protection are published on the Europa website. These include Switzerland, Canada, Argentina, the Isle of Man and Guernsey. The UK Information Commissioner has adopted these findings of adequacy for the purposes of the UK Data Protection Act 1998 (the "Act") as well. Therefore a transfer to one of these countries is acceptable under Principle 8 of the Act, although compliance with the other principles must still be considered.
For example, a UK financial services company has offshore operations in the Isle of Man, Guernsey, the Cayman Islands and the Bahamas. Subject to compliance with the rest of the Act, it can make intra-group transfers of customer and employee personal data to its operations in the Isle of Man and Guernsey under Principle 8 as these countries are deemed to have an adequate level of protection. However, for the Cayman Islands and the Bahamas it must find another compliance route. Adequacy findings therefore only provide a limited solution.

The EU/US Safe Harbor Deal

Although the European Commission does not consider the national data protection legislation of the USA to be adequate, it has reached a deal that will allow a finding of adequacy if organisations in the USA sign up to a self-regulatory scheme known as Safe Harbor. The Information Commissioner has adopted this finding of adequacy for the purposes of the UK Data Protection Act 1998 as well. This may be an option for companies transferring to a US head office or using a US supplier that has signed up to the Safe Harbor principles (although take up in the US has been slow).

Model contractual clauses

A transfer of data from a data controller in the EEA to a data controller in a third country is permitted if that transfer is made in accordance with standard contractual clauses which the European Commission has decided offer sufficient safeguards. The Information Commissioner has approved use of the model contractual clauses for the purposes of achieving adequacy under Principle 8 of the Act. This is often the route used in outsourcing offshore deals.

Binding corporate rules

A company code of practice, or set of binding corporate rules, may be accepted by EU regulators as an adequate basis for transfer but the concept is at a relatively early stage of development and can be time consuming to implement across a global organisation.

Statutory exemptions to the Principle 8 prohibition

Schedule 4 of the Act sets out a number of cases where Principle 8 will not apply to an overseas transfer of data, many of which act as simple exemptions from the adequacy requirements of Principle 8. The Information Commissioner does not generally promote reliance upon these exemptions, especially for long-term or frequent transfers by commercial entities, and interprets them in a very narrow way. The exemptions are therefore unlikely to be appropriate for most commercial transfers, but the two that are most likely to be considered are consent and transfers necessary for the conclusion of a contract with the data subject.

Consent

It is always open to a UK data controller to get the consent of individuals to an overseas transfer. Consent ensures Principle 8 compliance. However, before following this route an organisation should consider carefully whether it is the most appropriate option. What would happen if an individual did not consent or subsequently withdraws their consent? Consent must be unambiguous, freely given, specific and informed. There is an argument that employees cannot give valid consent as they may feel that they have no other option. For business critical transfers consent is not really an option and organisations will need to rely on one of the other options, bearing in mind that there may still be a need to tell people about the transfer, even if their consent is not obtained.

Transfers necessary for the conclusion of a contract between an individual and the data controller

In some cases, the nature of the relationship between the data controller and the individual may imply that a transfer of data is necessary for contract fulfilment. For example, if an individual books a holiday in Malaysia through a UK travel agency, it is implicit in that relationship that the travel agent may need to transfer information about the individual to the Malaysian airlines, hotels, tour operators etc. However, "necessary" should be something more than just convenient or cost efficient. This option is unlikely to apply where an employer wants to transfer employee data to an overseas head office as this is not going to be strictly necessary for fulfillment of the employment contract.

Data controller's own finding of adequacy

The Information Commissioner has made clear to UK businesses that it is open to the data controller to make its own finding of adequacy in relation to a particular transfer, and has provided detailed guidance on how adequacy may be assessed.

The adequacy tests

The Information Commissioner has defined two tests for assessing adequacy: an assessment of the adequacy of the legal regime in place in the country to which the data will be transferred; and an assessment of the general adequacy of the transfer bearing in mind the nature of the data being transferred. In particular, the Information Commissioner has recommended that such an assessment of adequacy should include an examination of a number of stated criteria applicable to the transfer as follows:

1. The nature of the personal data
Certain personal data are so widely available to the public that their transfer to a third country is of little consequence to the rights of the data subject, for example the statistics of sports stars or media personalities. Conversely, however, the transfer of previously unknown or sensitive personal data may have a considerable impact on the rights of the data subject, especially if that third country lacks the relevant regulatory protection for such data.

2. The country or territory of origin of the information contained in the data
If the data have been obtained in a third country originally, the data subject may have different expectations as to the level of protection that will be afforded to the data than if the data had been obtained in the EEA.

3. The country of final destination of that information
If it is known that there will be a further transfer of the data to another country, the data protection regime of that country must also be considered.

4. The purposes for which the data are intended to be processed
Some purposes may pose a higher risk than others, for example wide use of data for marketing contact.

5. The period during which the data are intended to be processed
The longer the period of processing, the more likely it is that any deficiencies in the data protection regime of that country will be exposed.

6. Any security measures taken in respect of the data in the third country
It may be possible to ensure security of the data by means of technical measures, for example encryption or the adoption of security management practices similar to those set out in ISO 17799.
More detail on the adequacy tests set out in the Information Commissioner's Guidance on overseas transfers.
The Commissioner also suggests that this might be the option used for data controller to data processor transfers. For example, if a UK company decides to outsource a back office function to China, the processing remains subject to the Act and the UK data controller remains responsible for protecting the data.
The seventh data protection principle requires there to be a written contract between the data controller and data processor which ensures the security of the data. Given that there is already a requirement to have a written contract in place, the Commissioner's guidance suggests that if due diligence on the data processor in light of the above criteria does not reveal any particular risks then the processor contract may be sufficient to comply with Principle 8. Nevertheless, many organisations prefer to use the model clauses as evidence of compliance.

EEU model contractual clauses

The European Commission has published model contractual clauses, use of which will ensure Principle 8 compliance. The UK Information Commissioner has approved the use of the model contractual clauses as a means of ensuring adequacy under Principle 8, however this approval only extends to use of the model contractual clauses as they stand, or with additional contractual language added to them that doesn't contradict them in any way. Any amendments to the model contractual clauses, even where such amendment does not affect the meaning of the clauses, will mean that the data controller does not benefit from the Information Commissioner's approval, however the data controller may still make use of such amended clauses as part of its own assessment of adequacy.

The standard contractual clauses are designed to facilitate transfers of personal data from the EEA to all third countries, while providing sufficient safeguards for the protection of the privacy of individuals. These clauses offer an alternative means of fulfilling adequacy requirements such as consent but organisations intending to transfer personal data to third countries are not obliged to use these clauses if they could pass the adequacy test by taking one of the other routes.

There are two sets of model clauses produced by the European Commission; one governs controller-to-controller transfers and the other controller-to-processor transfers. There is also an additional approved set, put forward by a group of international business associations, which covers controller-to-controller transfers. There are currently no clauses for processor-to-processor transfers.

In essence, both data importer and exporter have to warrant and undertake that they have complied with data protection standards which meet the requirements of the Data Protection Directive in respect of the data. They must accept liability to data subjects for breach of those standards, with cross indemnities to ensure that the one responsible for the actual breach meets the cost of the breach. For example, both sides agree to meet requests from data subjects relating to the right of access to personal data and to reply to requests for information from the data protection authorities. Both sides warrant that the processing they undertake is lawful with respect to their own laws, and both sides agree to be sued if damage is caused to data subjects.

The data importer based outside the EEA has the most onerous task. This importer has, in addition, to agree to limit processing to the specification in the contract. So, for example, the personal data transferred by the data exporter cannot be used, disclosed or transferred to another party without the prior written consent of the exporter.

In addition, the data importer must adopt appropriate levels of security, identify all staff who require training in data protection matters, and notify the data exporter of those laws which allow the authorities in the importer's country to access the exporter's personal data. Failure to comply with these provisions will permit the data exporter to terminate the contract with the importer. Finally, the contract also provides for other termination requirements and deals with jurisdictional matters. The Mandatory Data Protection Principles are annexed to the standard contractual clauses. Understandably, organisations have concerns about the role of these clauses in a commercial transaction as they are not particularly user-friendly but they are often the simplest option if the data exporter can persuade the overseas organisation to sign up to them.

See: The text of the standard contractual clauses.

The US Safe Harbor scheme

After more than two years of negotiations with the US Department of Commerce, the European Commission approved the Safe Harbor scheme which sets out a framework of data protection standards which allow the free flow of personal data from EEA data controllers to the US organisations which have joined the scheme.

US companies that adhere to the Safe Harbor data protection standards, principles and procedures will be deemed to provide an adequate level of protection which satisfies, in UK terms, the requirements of Principle 8.

Benefits
For international companies with subsidiaries or trading partners in the US and the EEA the Safe Harbor scheme is designed to reduce the administrative burden of complying with the Data Protection Directive and to ensure that data flows to Europe are uninterrupted. However, due to the limited take up, it is questionable whether this has been achieved in practice.

Scope
The Safe Harbor scheme applies only to the transfer of personal data from a data controller in the UK to a data controller in the US. It does not apply to transfers of personal data from a UK data controller to a US data processor that processes personal data in the US or the EEA, nor is the scheme applicable where data is obtained directly from individuals via a website.

At present, US businesses in sectors such as telecommunications and financial services are not able to take advantage of the scheme.

Requirements
In order to be eligible to join the Safe Harbor scheme, a US organisation must be monitored or regulated by an independent statutory body which can protect personal privacy effectively and has jurisdiction to investigate complaints. The Federal Trade Commission ('FTC') and the Department of Transportation ('DOT') are such statutory bodies recognised by the European Commission. For example, air carriers may participate as they are subject to the jurisdiction of the DOT. Voluntary compliance, monitored by the FTC, therefore allows, for example, the transfer of customer details from a US company's European offices or subsidiaries into the US.

To qualify for the Safe Harbor scheme, a US organisation has three options. It can:

• develop its own self-regulatory privacy policy which conforms to the Safe Harbor requirements; or
• join a self-regulatory privacy programme which adheres to the requirements, organised by firms such as VeriSign and TRUSTe; or
• be subject to a statutory or other body of law or rules which effectively achieves the same standards.

Organisations must commit to a data protection and privacy notice which complies with all seven Safe Harbor principles, set out below.

Principles
The Safe Harbor scheme establishes seven principles which are broadly equivalent to the standards established by the principles of the Act.

• Notice: giving individuals notice of the purposes for which their data are collected, notice of the third parties to whom the data may be disclosed, information to enable the individuals to contact the organisation for enquiries or complaints and the means offered for limiting use and disclosure.
• Choice: offering individuals the choice of opting out of disclosure to third parties and the choice of whether or not to allow the organisation to use the data for purposes other than those for which they were originally collected. An opt-in approach is required if sensitive data are involved.
• Onward transfers: data may be disclosed only to third parties who either subscribe to the Safe Harbor principles, or who are subject to the Data Protection Directive, or who enter into a written agreement to provide the equivalent level of privacy protection.
• Access: providing the individual with access to his data and giving him the right to have the information corrected upon request, unless the burden or expense of doing so is disproportionate or would violate the rights of another individual.
• Security: taking reasonable precautions to protect personal data from loss or misuse and from unauthorised access, disclosure, alteration and destruction.
• Data integrity: ensuring that data are accurate, up-to-date, relevant and reliable for their intended use.
• Enforcement: providing effective enforcement mechanisms and dispute resolution procedures.

Although the principles are broadly equivalent to the UK standards, there are differences. For example Principle 7 of the Act requires "appropriate" security measures whereas Safe Harbor requires "reasonable" precautions which is not necessarily as high a standard. Once a US organisation has established a privacy policy which declares its compliance with Safe Harbor principles and has decided to participate in the Safe Harbor scheme, it must self-certify its compliance in writing with the US Department of Commerce. This can be achieved by a letter which sets out certain information including details of the organisation's activities in relation to the data collected and a description of its privacy policy. The Department of Commerce will maintain and make public a list of those self-certified organisations and their self-certification letters.

Enforcement
The Safe Harbor principles require that an organisation’s policy be enforceable. How does the law apply to ensure that those who self-certify do not merely pay lip-service to data protection principles? There are several ways in which enforcement can be achieved.

Once on the register of Safe Harbor, the organisation must self-certify annually. It does this by verifying its compliance with the principles by means of internal or external audits. At least once a year a statement must be signed by a corporate officer, or other authorised representative of the organisation, to the effect that the organisation has conducted an assessment which verifies the organisation's compliance. This statement must then be made available upon request or whenever the organisation's compliance is being investigated.

An organisation's privacy policy must specify:

• the statutory body which has jurisdiction to hear complaints against it;
• the names of any privacy programs of which it is a member; and
• the independent dispute resolution mechanism by which complaints may be investigated.

This ensures that any member of the public can find out where to address complaints. The dispute resolution mechanism can be provided by private sector self-regulatory bodies such as TRUSTe, through legal or regulatory supervisory authorities or by committing to co-operate with data protection authorities in the EEA. The US organisation must also be able to remedy problems arising out of a failure to comply with Safe Harbor principles.

Sanctions for non-compliance include publicising non-compliance, deletion of data, compensation and injunctive orders. If the recourse mechanism provided is a private sector dispute self-regulating body, then any failure to comply with its ruling must be notified either to the courts, the FTC or DOT (as appropriate) and, in the case of persistent failure to comply with the Safe Harbor requirements, to the Department of Commerce.

The FTC and DOT are committed to taking action against companies who fail to live up to their self-certified privacy policies. Under the Federal Trade Commission Act ('FTCA'), "unfair or deceptive acts or practices in or affecting commerce" are illegal and the FTC is empowered to take action to prevent them. If an organisation signs up to the Safe Harbor principles and then fails to comply, it has misrepresented its practice on the treatment of personal information.

After a formal hearing the FTC may impose sanctions for breach of the FTCA. Sanctions available to the FTC to stop processing include cease and desist orders, restraining orders and injunctions.

Non-compliance with such an order attracts a further penalty of $12,000 for each day of the period of non-compliance.

The DOT also has the power to stop unfair and deceptive practices in relation to carriage by air.

In addition to the recourse mechanism under the scheme and to the power of the statutory overseer, organisations which fail to comply with their own Safe Harbor promises may be open to claims made directly by individuals for misrepresentation. Individuals may also claim for breaches of privacy under common law and under some federal and state statutes.

The effect of binding corporate rules on overseas transfers of personal data

Following the widespread use of the model contractual clauses, Binding Corporate Rules were developed by the EU Article 29 Working Party for use by a multinational organisation or group of companies as a mechanism of transferring personal data throughout the organisation. Such rules are intended as an alternative to model contracts (EU model contractual clauses) and Safe Harbor (The US Safe Harbor scheme) and are aimed at providing a compliance solution to multinational organisations.

Approval process
Binding corporate rules need to be approved by every European data protection authority in whose jurisdiction a member of the group will rely on them, but the advantage is that the approval process is simplified as an application is made to one national "lead" data protection supervisory authority in Europe and that authority liaises with all other authorities to seek approval. For example, a group with entities in five European countries could submit its rules to the UK Information Commissioner for approval. The UK Commissioner would then obtain approval, on behalf of the organisation, from the four other countries. However, in practice the requirements of EU privacy authorities vary and so the approval process may be lengthy.

Content of rules
Although referred to as rules, an organisation does not have to have one document or policy to comply; a set of policies and procedures or measures taken together could be sufficient.
The UK Information Commissioner requires for approval:

• a background paper summarising compliance;
• the "binding corporate rules" themselves; and
• contact details of the responsible person within the organisation to whom queries may be addressed.

The ICO then requires a set of questions to be answered including:

• Does the organisation have its HQ in the UK and/or is the UK group company responsible for data protection? (This determines that the UK Information Commission is the appropriate authority to act as "lead" Authority and for the organisation to submit the rules to);
• How are the measures legally binding? (The rules must be binding both within the organisation and for the benefit of data subjects);
• How will compliance be verified? (The rules must be audited either internally or by external auditors);
• What is the processing being done and what flows of information are there? (Details of the nature of the data, purposes for processing and extent of transfers should be provided);
• What safeguards are in place? (There must be a description of the safeguards in place to protect the data);
• What is the mechanism for reporting and recording changes? (There should be a system in place for dealing with changes to the rules both internally and externally).

Large multinational organisations are starting to look at binding corporate rules as an alternative to Safe Harbor and contracts, primarily because it does offer a global solution. So far only Philip, Daimler Chrysler and GE have submitted binding corporate rules in the UK. However, the concept is at a relatively early stage and organisations may wish to learn from the experience of others before committing to this solution.

Putting the data protection rules into practice: practical examples of overseas trans

Those responsible for achieving data protection compliance in a business where transfers overseas take place need to take a methodical approach to determining which of the above options most suit their business. For example, it may be relatively simple to build in consent to overseas transfers when operating a website, as collection of data online can be made subject to consenting to the privacy policy and the privacy policy can include a statement that personal data may be transferred overseas. This solution is not likely to work for a transfer of employee data for the reasons given above.

This post looks at some common scenarios and which options may be available in each one.

Example 1: call centre outsourcing
InsuranceISus, a leading specialist insurance company wants to outsource its call centre to India.

As most, if not all, the information collected on each telephone call to obtain an insurance quote will be personal data, InsuranceISus has to consider the application of the Data Protection Act 1998. InsuranceISus is the data controller in relation to the data and the call centre acts as its data processor. Firstly, as it proposes to appoint a data processor, InsuranceISus should consider what security arrangements are in place with the third party in India for the data as the Act requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. InsuranceISus should make sure that there is a contract in place with the third party which sets out what InsuranceISus expects from the third party in protecting the data, for example making sure that those people who will be answering the phones to InsuranceISus' customers and will be inputting the data onto computer systems will have data protection training and will have been adequately vetted, as well as seeking assurances about the security of the systems in place, who will have access etc.

InsuranceISus will also have to look at the arrangements in place for the transfer of data as the Act requires that personal data must not be transferred to a country outside of the European Economic Area (EEA) unless that country ensures an adequate level of protection for the rights and freedoms of data subjects or one of the exceptions applies.

India is not one of the "adequate" countries approved by the European Commission for the purposes of transferring data. What options are suitable?

There are various ways that InsuranceISus can meet its obligations under the Act in terms of adequacy. From a practical point of view, the easiest approach to take may be to enter into a contract with the third party in India based on the model clauses produced by the European Commission. The model clauses are intended to be used where data is transferred to a third party based outside of the EEA, for example, India. There are different types of model clauses depending on the status of the parties involved in the transfer. InsuranceISus will be outsourcing its call centre function to a data processor processing data on behalf of InsuranceISus and the outsourced provider will not be able to use this data for any other purpose. The data controller-to-data processor contract would therefore be the appropriate version.

Given that a contract is required for Principle 7 and that the model clauses include security obligations, the model clauses could meet both requirements. Given that InsuranceISus will also want other commercial and legal issues covered in the contract, the model clauses could be annexed to the main agreement and referred to within it. It is open to InsuranceISus to carry out its own assessment of adequacy and decide that a commercial agreement meeting the requirements of Principle 7 is enough but use of the model clauses offers compliance certainty.

Whilst in this case it may be unreasonable and impractical to expect to obtain each potential customer's consent for the transfer, this is something to consider for the future for new customers. If InsuranceISus outsources further functions overseas, for example back office processing or inbound customer service calls, it would be sensible to review its terms and conditions and data protection notices to obtain routine consent from customers to such transfers.

Example 2: running a website
Tony Flour is the owner of a highly successful, family-run bakery in the Cotswolds supplying a large number of local businesses and individuals.

In the run up to the annual, highly prestigious, "Baker of the Year (Cotswold Region)" awards he decides to promote his business by setting up a website, tonysbreads.co.uk. He intends this to be seen locally to promote sales in the region and raise his profile for the competition. There is a page on the website which lists a typical day at the bakery and includes details of his customers and deliveries on that day including their names and addresses. He also describes a special delivery of wheat-free bread to Janet Thompson, one of his regulars, who suffers from a wheat allergy.

Janet's ex-husband Derek who regularly 'Googles' his ex-wife and is now living in Ecuador, finds these details and starts sending harassing letters to Janet. Janet complains to the Information Commissioner.

Does the posting by Tony raise any Principle 8 issues?

For Principle 8 to apply, Tony would firstly have to be transferring personal data to a country or territory outside of the European Economic Area ('EEA').

The questions which need to be answered are, therefore: does this information constitute personal data; is the act of posting this material on the internet "a transfer" for the purposes of Principle 8; and if so, is it a transfer to a territory outside of the EEA?

If such a transfer is found to have occurred then it would need to be considered (a) whether there is an adequate level of protection for the rights and freedoms of the data subjects; or (b) can an exception in the DPA be made out so that Principle 8 does not apply?

The information posted on the website is "data", as defined in the Act, as it is being processed by computer. The data is "personal data" in that it relates to living individuals who can be identified from that data (via their names and addresses).

(The information about Janet's wheat allergy probably also constitutes "sensitive personal data" as it is personal data consisting of information as to Janet's health and medical condition. Processing sensitive personal data is generally harder to justify.)

As the information is personal data, Principle 8 prohibits the transfer outside of the EEA unless there are adequate safeguards in place or an exception.

The issue of whether the posting of personal data on a website constitutes a transfer for the purposes of Principle 8 was considered by the European Court of Justice ('ECJ') in the case of Bodil Lindqvist v Kammaraklagaren.

According to the ECJ, the posting of personal data on a website within the EEA is not a transfer of personal data outside of the EEA even if that personal data can be accessed by internet users outside of the EEA, provided that it is hosted by a natural or legal person who is established in the EEA.

So, in this case, provided that the internet service provider which hosts Tony's website is based in a member state of the EEA, no transfer outside the EEA will have occurred and Principle 8 will not apply. However, this is on the basis that Tony has no intention that his website will be accessed globally, it is aimed at the UK market.

Consequently, there is no need to consider issues of whether a territory outside of the EEA is involved (although Ecuador is a territory outside of the EEA), issues of adequacy or the application of Schedule 4 conditions.

The other principles will still apply. The Information Commissioner would in all likelihood consider that the posting of this information on the web was a breach of the first principle in that it was not "fair" for it to be so widely disclosed without notifying/ obtaining the consent of the data subjects.

The answer may be different if Tony runs a global bakery enterprise, supplying bread worldwide. In that case he may intend his website to be accessed overseas and know that it will be. If that is the case his only likely solution under Principle 8 is to obtain consent.

Example 3: US Head Office
Boys Toys is one of the leading suppliers of toys and gadgets in the UK. It has recently been bought out by a US multinational, Big Boys' Toys.

As part of its new reporting obligation, Boys' Toys has been asked to send copies of all of its employee records to Big Boys' Toys' head office in Washington. However, compliance with this request may be difficult as it is one of the main principles of the Act that personal data should not be transferred outside of the EEA unless the data will be adequately protected. The commercial director is a little concerned that if he sends these, he could be in breach of Principle 8, but head office is adamant that they must be sent, so he considers his options.

The US is unique in that it is the only country where European approval provides that if a company has signed up to the Safe Harbor Principles then the transfer will be allowed. However, it is also worth bearing in mind that very few companies have actually signed up to the Safe Harbor Principles since their inception in 2000, and it is more than likely that given head office's current disregard for anything data protection related it is unlikely that it will be one of the 1,000 or so companies that have self-certified. On checking the Department of Commerce Certification page it appears (as anticipated) that Big Boys' Toys have not signed up to the Principles, so that option is out.

The only thing that the commercial director thinks that he can do now to ensure compliance with the Act is to ask each and every one of his employees for their consent to the transfer. This may prove an unpopular request as employees may be highly sceptical of the reason for the transfer, linking it perhaps to some kind of cost cutting exercise or job outsourcing. In addition there is the practical problem of actually getting consent to the transfer. The consent has to be shown to be "clear and unambiguous" in order to be effective. Obtaining clear and unambiguous consent in an employment context is very difficult, as it could be implied that any employee's consent had to be given in order for the employee to keep his employment. Although this route may appear to be relatively straightforward it may not provide Boys' Toys with the comfort it needs to ensure compliance with the Act and the commercial director thinks that he won’t be popular with head office if he asks for consent and employees refuse.

Although Boys' Toys could consider going down the route of putting in place a set of Binding Corporate Rules and applying for approval for these, as this will involve time, effort and commitment, the commercial director does not anticipate that head office will buy into this idea. Therefore, possibly the best option in this situation will be the use of standard contractual clauses which have been approved by the European Commission. But even these cannot be used without some words of warning. If either Boys' Toys or Big Boys' Toys does not treat the personal data in line with the Act (or equivalent principles in model clauses), then the employees could have a right of action against either Boys' Toys or Big Boys' Toys. In addition, there is a risk that the Information Commissioner could bring an investigation against Boys' Toys. But there are steps that Boys' Toys can take to limit the risk of a civil suit which involves carrying out a due diligence exercise prior to transferring the data to ensure that Big Boys' Toys are able to protect the personal data.