Sending Personal Data Outside the European Economic Area

The technological developments of recent decades have moved companies into an information-based era. Because of this, personal data represents a new type of raw material for their services and, at the same time, cross-border data transfers have become the lifeline of some corporations. Consequently, the safe handling and transfer of personal data to countries with less than adequate privacy and data protection laws is at the forefront of a global debate.

The first international recognition of privacy rights occurred through the United Nations Declaration of Human Rights in 1948, which stated that “no one shall be subjected to arbitrary interference with his privacy…and everyone has the right to the protection of the law against such interference….” Since then, there have been efforts by international bodies to devise a global privacy standard. However, privacy and data protection are closely correlated with cultural values, so progress in this area has been achieved only at the regional level.

The EU Data Protection Directive

The European Union (EU) addressed this issue with the passage of Directive 95/46/EC (Directive). Among other things, the Directive prohibits companies located in member states from sending personal data outside the European Economic Area (EEA) without the assurance of an adequate level of protection. The EEA consists of EU-member states plus other countries that have ratified the Directive.

EU Designation of Adequacy

What can a company located in a EU country do if it wants to transfer personal data to a non-EEA country? One option is to wait for the EU to decree that the non-EEA country has an adequate level of protection for personal data. However, this is very impractical, as currently the EU has only made 10 such designations. Interestingly, the United States is not one of them.

The Safe Harbor Principles

Although the EU does not regard the United States as providing adequate protection for personal data, the EU has made a special arrangement with the United States called “Safe Harbor.” Under the EU-U.S. Safe Harbor, U.S. companies that agree to follow seven principles of information handling are deemed to have complied with the EU Directive. Hence, EU companies can safely transfer personal data to U.S. harborees.

EU Model Clauses

The more likely scenario is that the company to which personal data is being sent is neither in the EEA nor the United States. Fortunately, there is an alternative for complying with the Directive by way of the EU Model Clauses. These model clauses are simply contract terms, drafted by the EU, which can be inserted into private contracts. As long as these clauses are written into the contract, cross-border flow of personal data is deemed compliant with the Directive.

• For Legal Jargon… Click on This Link
• What’s in a Signature?
• U.S. Supreme Court Rules on Warrantless GPS Tracking
• When Industry and Government Don’t Stay in Synch
• Regulatory Uncertainty: A Major Factor in Conflict Areas

• Authorizations to Offer Satellite Services to and from the United States
• Universal Service Fund and its Impact on the Satellite Sector
• C-Band ESV Licenses Clear Way for Entry into Maritime Market
• Regulatory Status of Satellite Service Using Vehicle-Mounted Antennas
• The Case for Earth Station FCC License Modifications