THE TRANSFER OF PERSONAL DATA ABROAD

Transcription

1 THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE CURRENT DATA PROTECTION OBLIGATION. THE PURPOSE OF THIS NOTE The Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 (the Acts) govern the treatment of personal data by businesses and organisations in Ireland. This note considers:- the minimum legal standards for the transfer of personal data abroad without committing an offence under the relevant Acts; the concept of best practice in data protection of an organization or group; and the data protection obligation of an Irish organisation or business (Transferor) which controls personal data contemplating the transfer personal data abroad for storage or processing. It is not intended to cover all Irish data protection requirements. When referring to data being transferred, it is assumed for the purposes of any transfer discussed, that the requirements under the Acts have been complied with in respect of it up to the point of transfer. Three categories of transferee country are to be distinguished according to the Act: First Category: Second Category: Third Category: A country within the EEA or on the EU approved list The US A country outside the US and not on the EU approved list 1

2 RELEVANT POINTS The following points are relevant to this note:- Personal data means data relating to a living individual who is or can be identified either from the data, or from the data in conjunction with other information that is, or is likely to come into, the possession of a data controller. Every country in the European Economic Area (EEA) applies strict data protection policies in relation to the processing. Storage and exporting of personal data by organisations and businesses. With the growth of online trade, an increasing number of Irish organisations and businesses, like their counterparts elsewhere, transfer some of their functions and operations to subsidiaries or suppliers abroad. These functions can include customer services such as dealing with orders, invoicing services and marketing and support services. They can also include internal operational services such as services relating to personnel and human resources. A significant amount of these operations will involve transfers of personal data and not all of the countries to which the personal data is transferred are within the EEA. THE RESTRICTION ON THE TRANSFER OF PERSONAL DATA OUTSIDE THE EEA It is unlawful to transfer personal data outside the EEA unless either one of the 11 specified adequate protection exceptions below applies, or the Transferor has arranged that adequate legal protections will apply to the data transferred. a) The 11 Specified Adequate Protections The 11 specified adequate protections are:- (i) the transfer of the data or the information constituting the data is required or authorised by any law or treaty; (ii) the data subject has given his or her consent to the transfer; (iii) the transfer is necessary for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to his or her entering into a contract with the data controller; (iv) the transfer is necessary for the conclusion or performance of a contract between the data controller and a person other than the data subject that is 2

3 entered into at the request of the data subject, and is in the interests of the data subject; (v) the transfer is necessary for reasons of substantial public interest; (vi) the transfer is necessary for the purpose of obtaining legal advice, legal proceedings or prospective legal proceedings or establishing or defending legal rights; (vii) the transfer is necessary in order to prevent injury or other damage to the health of the data subject or serious loss of or damage to property of the data subject or otherwise to protect his or her vital interests, and informing the data subject of, or seeking his or her consent to, the transfer is likely to damage his or her vital interests; (viii) the transfer is part only of the personal data on a register established by law intended for consultation by the public or by persons having a legitimate interest; (ix) the transfer has been authorised by the Commissioner on terms of a kind approved by the Commissioner as ensuring privacy safeguards; (x) in the case of a transfer of personal data to a country in the Second Category, that the Safe Harbour arrangement applies; and (xi) in the case of a transfer to a country in the Third Category, that a contract in the appropriate form provided by the EU has been entered into with the transferee to provide adequate protection for the data transferred. If any one of the 11 Specified Adequate Protections apply and the data activity of the transferee is already compliant under the Acts, then it will not be an offence for a Transferor to transfer personal data to any country, whether within the EEA or not. b) Adequate Level of Protection If none of the 11 specified adequate protections apply, then the transfer of personal data by a Transferor to a transferee in a country not in the EEA is unlawful unless that country, effectively the transferee, ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data. In determining what constitutes an adequate level of protection, the Acts provide that the following 8 matters (the 8 Potentially Relevant Matters) may be relevant:- the nature of the data; 3

4 the purposes for which and the period during which the data are intended to be processed; the country of origin of the information contained in the data; the country of final destination of that information; the law in force in the country of final destination; any relevant codes of conduct or other rules which are enforceable in that country; or territory; any security measures taken in respect of the data in that country; and the international obligations of that country. c) What Standard is Adequate? The imposition of a standard of an adequate level of protection on a transferor is effectively an absolute standard of protection. If the transferor adopts a level of protection which on the best professional advice is regarded as adequate but subsequently, despite the protections in place, there is a data breach, the level of protection will then be regarded as inadequate and the data controller concerned may be at risk of prosecution for a breach of data legislation. The situation of a Transferor may be illustrated by the following example:- Example I X limited an Irish business wishes to transfer personal data relating to its employees pension scheme to a company in Ruritania, a non EEA country. If X limited complies with the Acts as regards data activities in Ireland and at least one of the 11 specified adequate protections applies, the transfer of the data to the company in Ruritania will not be prohibited. The issue of whether X has arranged an adequate level of protection is another matter. If it happens that there is a serious data breach in Ruritania, then although X limited may be prosecuted for not providing an adequate level of security, it cannot be prosecuted for wrongfully transferring personal data outside the EEA. Example II The situation is the same as in Example I except that this time X limited, although compliant with the Acts in Ireland, does not avail of any of the 11 specified adequate protection exceptions but chooses to rely on advice that in Ruritania, there will be an adequate level of protection. If this 4

5 advice is incorrect, X limited may be liable to prosecution on two counts- for an unlawful transfer of data and for a failure to provide an adequate level of protection. CAN A TRANSFEROR SAFELY RELY ON THE MINUMUM LEVEL OF DATA PROTECTION COMPLIANCE? A Transferor should consider this question in relation to the circumstances in which the Transferor finds itself. In order to answer this question besides the 8 potentially relevant matters, the Transferor may wish to take the following matters into account when considering whether any of the 9 specified adequate exception apply :- a) The scope of a consent from a data subject may be limited In many situations the data subject will have volunteered personal data and will have provided some form of consent. One of the main ligitimising features of a data processing activity is that the data subject has given consent to the use of the data. However, when a data subject gives consent to use personal data to a data controller, neither the data controller nor the data subject may foresee the technical and commercial developments which will take place after the date of the consent and which will be relevant to the use and treatment of the data provided. It is therefore possible that after a consent has been provided it will be found to be deficient in some respects as regards the treatment of the data concerned. b) Warning from EU Commission It is the express intention of the EU Commission that the personal rights under the Data Protection Directive 94/46/EC (the DP Directive) of a data subject in the EU should not be diluted or frustrated by the transfer out of the EU of personal data relating to him or her. Accordingly, the Directive imposes an obligation on data processors who transfer personal data outside the EEA to ensure that notwithstanding such transfer, the rights of the data subject derived from the DP Directive are fully preserved. The responsibility is imposed firmly on the shoulders of the data controller making the data transfer. In the words of the EC Working Party dealing with data protection issues:- When planning to transfer data to a third country, data controllers established in the European Union should favour solutions that provide data subjects with a guarantee that they will continue to benefit from the fundamental rights and safeguards to which they are entitled as regards processing of their data in the EU once this data has been transferred. 5

6 c) Different standards of compliance may apply in different EU Member States Different EU Member States may set different standards for data compliance. Personal data may be channeled back and forth through different EU Member States and other countries as part of the operations of an international group. In the case of the consent of a data subject, it may not be prudent to rely entirely on a consent taken in one EEA country as a legitimizing condition to the transfer of that personal data from another EEA to a country outside the EEA. d) Uncertainty regarding other specified protections The application of at least some of the 11 specified adequate protection exceptions may not be clear in all situations. Where the word necessary is used in a specified adequate exception (see paragraph 3 above, items (iii), (iv), (v), (vi), and Vii)), a Transferor who relies on a particular exception containing the word necessary may have concerns as to how the exception will be construed. For the exception to apply, must there be no other means of achieving the objective within the EEA? Accordingly, to be safe from prosecution in relation to transfer of data outside the EEA, it will often be prudent for a Transferor not to rely solely on one or more of the 11 specified adequate protection exceptions. CAN THE TRANSFEROR SAFETY RELY ON THE MINIMUM LEVEL OF ADEQUATE PROTECTION? In order to answer the same question in relation to whether the Transferor has arranged adequate legal protection the Transferor may wish to take the following into account:- I. Commercial repercussions Data breaches can occur for many reasons: computer hacking, theft of files, systems malfunction etc. Where a data breach occurs, there could be serious commercial as well as legal repercussions for the data controller. II. If a data breach occurs, a Court may be lenient if the Transferor has maintained high standards The obligation imposed under the Acts on an Irish data controller to ensure the integrity and security of data controlled (as mentioned above) is absolute. Even if the data controller has 6

7 not been personally at fault (for example, the data breach was the responsibility of a service provider operating abroad), this will not be valid as a defense for the data controller against a charge in respect of an offence under the Act. However, if a serious data breach occurs, by showing that it is pro-active and attentive to the rights of data subjects, a Transferor on my win the sympathy of data protection authorities and the courts and thus suffer a penalty that would apply where the standards of data protection are regarded as minimal. III. Desire for highest standards on moral or ethical grounds Even though the Transferor may be in a position to comply with at least the minimum legal standards required by the Acts in relation to the transfer of data out of the EEA, because of the nature of the Transferor s business or business culture, it may suit the Transferor to adopt best practice or at least a higher standard of data protection than is legally required. For these and other reasons, a Transferor should normally consider what additional data protection safeguards can be adopted over and above what is strictly necessary and particularly, in respect of a transfer of data abroad. BEST PRACTICE IN DATA PROTECTION GENERALLY Best practice in data protection for an organization or business is likely to involve the following:- appropriate data protection systems including qualified staff for advising and training on best practice; a policy protocol on information security regulations and reputation management; an updated employee website information, handbooks and practices which deal with data protection issues; appropriate employment and commercial contracts; website terms; rules for international transfers of personal data; employees who have received comprehensive training on an on-going basis in data protection principles and the Group's compliance strategy; regular internal audits of compliance with data protection policy; and a crises response plan. 7

8 Where the Transferor is a member of a group of companies, best practice would require the group to adopt and apply a group policy incorporating features such as those listed above. In deciding upon the level of protection which should be employed by an organization or business, besides the 8 potentially relevant matters, the following questions should be asked:- what is the worst thing that can happen in relation to the personal data being controlled and processed; and what preparatory work should be undertaken so as to be in a position to reduce the harm that can be caused by such an event. THE TRANSFER OF PERSONAL DATA TO A COUNTRY IN THE FIRST CATEGORY The prohibition on transfers of personal data out of Ireland does not apply in the case of transfers to countries in the First Category on the basis that such countries are assumed to have adequate protections in relation to personal data. Nevertheless, for the reasons provided above, on making transfers of personal data to a country in the First Category, it may not be considered sufficient to rely the minimum legal data protection safeguards are in place. The Transferor should consider whether:- its own level of protection will be sufficient for all reasonably foreseeable customers; if it is part of a group in which transfers of personal data are exchanged, there is a group data policy which will offer sufficient protection for all reasonably foreseeable outcomes; in the event of a data breach involving the foreign recipient of the personal data or any subcontractor to that recipient, sufficient protection policies, including a crisis management policy, will be in place; and in the event of a data breach for which the recipient or any subcontractor is responsible, the Transferor should be indemnified against any loss or damage thereby arising. THE TRANSFER OF PERSONAL DATA TO THE COUNTRY IN THE SECOND CATEGORY As the US is a major force in international trade and communications, to facilitate the transfer of personal data to US organisations, under an agreement between the EU Commission and the US, US organisations may register with the US Department of Commerce under the Safe Harbor Program (the Program). The Program sets out a framework of data standards to allow unrestricted transmission of data between data controllers in the EEA and US organisations 8

9 which participate in the Program. The Program establishes 7 principles 1 of data protection which are similar, but not identical to, those applying under the EU Data Protection Directive. A data protection policy under the Program must specify the:- statutory body which has jurisdiction to hear complaints against it; particular privacy program to which it belongs; and independent mechanism by which complaints may be investigated. When a US organisation has set up a data protection policy and declares that it is compliant with the Safe Harbour Principles, it may register as a participant in the Program. It must self-certify compliance with the US Department of Commerce annually. In 2013, the EU Commission expressed deep concerns regarding the Program and called on the US to take urgent steps to improve standards. 2 One of the concerns relates to a lack of rigour in the enforcement of the self-certification element contained in the Program. To date there has been no change in EU policy towards US organisations arising out of the concerns expressed. Bearing in mind the absolute responsibility of a Transferor for data protection, in any arrangement involving the transfer on personal data to the US, best practice should involve the matters set out in below:- a) The Contract of supply The Transferor should ensure that in any contract of supply with a data processor operating in the US (the US supplier), that the contract requires the US supplier to:- register under the Safe Harbor Program; have a privacy policy and to operate under the seven US recognized Safe Harbor Privacy Principles; produce a certificate of compliance with the standards of the seven US recognized Safe Harbor Privacy Principles, from a suitably qualified third party auditor; give the right to approve of all subcontractors and oblige them to maintain suitable privacy standards; and Communication from the Commission to the European Parliament and Council, Rebuilding Trust in EU-US Data Flows, Brussels, 27/11/13. 9

10 update its Safe Harbor registration annually. b) Where subcontractors are used, or are to be used Where data is passed, or is intended to be passed by the US supplier to another US entity for storage or processing, the transferor should ensure that such other entity will likewise register and comply with the Safe Harbor Program and have a privacy policy. c) Renewal of certificate Each year, the transferor should ensure that the US supplier deliver to the organisation a copy of the renewed annual Safe Harbor certificate for itself and for each of the entities referred to at a) and b) above as such certificates are only valid for a year at a time. It may not be sufficient for transferor simply to rely on the website of the US government listing companies. d) Privacy policy The Transferor should obtain a copy of the privacy policy of the US suppliers and satisfy itself that it is in order. It may not be sufficient to rely on the privacy policy mentioned on a company s website. The transferor should obtain the policy governing his contract. e) Internal Verification Obtain from the supplier independent verification that under the self-assessment approach, the published Safe Harbor privacy policy of the supplier on any subcontractor is accurate, comprehensive, prominently displayed, completely implemented, accessible, and conforms to the Safe Harbor Privacy Principles. The independent verification should indicate that appropriate employee training, as well as internal procedures for periodic and objective reviews of compliance are in place. The statement verifying the self-assessment should be signed by a corporate officer or another authorized representative of the verification organization at least once a year. f) Auditor s statement At reasonably regular intervals, the transferor should oblige the US supplier and any other entity involved in the processing and storage of transferred data to produce from a suitably qualified 10

11 third party auditor, a certificate of compliance with the standards of the seven US recognised Safe Harbor Privacy Principles. g) Indemnity To avoid any cost in relation to claims, it would be prudent for the transferor to secure an indemnity against any legal or other costs of the transferor arising out of a data breach for which the US supplier or any subcontractor is responsible in respect of the data which the transferor has entrusted to the US supplier. Finally, the Transferor should consider the points made above in relation to transfers of personal data to a country in the First Category, namely dealing within a group and preparation to deal with any crisis which may occur as a result of a data breach. THE TRANSFER OF PERSONAL DATA TO A COUNTRY IN THE THIRD CATEGORY A country in the Third Category, namely, a country outside the EEA (other than to the US) which is not on the EU Approved List is permitted on the basis that Irish legal requirements have been complied with to the point of transfer and provided that either:- at least one of the 11 specified adequate protection exceptions apply; or adequate legal protection continue to apply to the data transferred. In order to assist in meeting the obligation to provide an adequate level of protection, when dealing with suppliers, the transferring organisation or business can use EU-approved model contracts which contain data protection safeguards sufficient to meet EU standards. In the case of a multinational group, the data controller can use EU-approved binding corporate rules for international transfers of personal data within the group. However, as mentioned above, it is prudent for a Transferor to consider employing higher standards of data protection than are necessary to confirm with the minimal legal requirements. In addition to usage of EU model contracts, the same points as apply in the case of transfer of data to a country in the First Category also apply to transfers a data to a country in the Third Category. 11

12 FUTURE DEVELOPMENTS A Transferor should be aware that it is shortly to enact to EU Regulation consolidating and expanding data protection law. DISCLAIMER This note is a general discussion of the law relating to agency in Ireland and does not purport to be a comprehensive examination of the law/legal advice. Before taking any action, full professional advice should be obtained. CONTACT INFORMATION For further information, including assistance on drafting privacy policies, please do not hesitate to contact us. URSULA TIPP Partner Tel: M: utipp@tipp-mcknight.com MICHAEL O CONNOR Partner Tel: M: moconnor@tipp-mcknight.com 12