Sending Personal Data Outside the European Economic Area
The technological developments of recent decades have moved companies into an information-based era. Because of this, personal data represents a new type of raw material for their services and, at the same time, cross-border data transfers have become the lifeline of some corporations. Consequently, the safe handling and transfer of personal data to countries with less than adequate privacy and data protection laws is at the forefront of a global debate.
The first international recognition of privacy rights occurred through the United Nations Declaration of Human Rights in 1948, which stated that “no one shall be subjected to arbitrary interference with his privacy…and everyone has the right to the protection of the law against such interference….” Since then, there have been efforts by international bodies to devise a global privacy standard. However, privacy and data protection are closely correlated with cultural values, so progress in this area has been achieved only at the regional level.
The EU Data Protection Directive
The European Union (EU) addressed this issue with the passage of Directive 95/46/EC (Directive). Among other things, the Directive prohibits companies located in member states from sending personal data outside the European Economic Area (EEA) without the assurance of an adequate level of protection. The EEA consists of EU-member states plus other countries that have ratified the Directive.
EU Designation of Adequacy
What can a company located in a EU country do if it wants to transfer personal data to a non-EEA country? One option is to wait for the EU to decree that the non-EEA country has an adequate level of protection for personal data. However, this is very impractical, as currently the EU has only made 10 such designations. Interestingly, the United States is not one of them.
The Safe Harbor Principles
Although the EU does not regard the United States as providing adequate protection for personal data, the EU has made a special arrangement with the United States called “Safe Harbor.” Under the EU-U.S. Safe Harbor, U.S. companies that agree to follow seven principles of information handling are deemed to have complied with the EU Directive. Hence, EU companies can safely transfer personal data to U.S. harborees.
EU Model Clauses
The more likely scenario is that the company to which personal data is being sent is neither in the EEA nor the United States. Fortunately, there is an alternative for complying with the Directive by way of the EU Model Clauses. These model clauses are simply contract terms, drafted by the EU, which can be inserted into private contracts. As long as these clauses are written into the contract, cross-border flow of personal data is deemed compliant with the Directive.
Binding Corporate Rules
Multinational corporations can avail themselves of yet another mechanism for compliance with the Binding Corporate Rules, which are internal contracts between members of multinational groups (e.g., a parent and subsidiary). These rules create rights for individuals, which can be exercised before the courts.
Exemptions from the Directive
There are several exemptions from the EU data transfer prohibition under which personal data can be transferred even when there is no adequate level of protection. Examples include: when the individual has clearly and freely consented to the transfer; when the transfer is necessary for the performance of a contract with the individual (e.g., an airline reservation); when required in a legal proceeding; when the data is part of a public register; when necessary to protect the vital interest of the individual (e.g., the individual has a heart attack); and when there is a substantial public interest.
Something as simple as emailing a human resources file, or posting personal data on a website, can bring about a violation of the Directive. It is important for companies situated in EU countries to examine their privacy and data protection policies to ensure compliance with the Directive and corresponding local legislation. Violations are considered criminal offenses.
Raul Magallanes runs a Houston-based law firm focusing on telecommunications law. He may be reached at +1 (281) 317-1397 or by email at raul@ rmtelecomlaw.com.