Transfers of personal data to third countries are regulated by Articles 27 and 28 of the Act, and by Legal Notice 155 of 2003 – ‘Third County (Data Protection Act) Regulations, 2003’.
A transfer of personal data to another country constitutes processing and as such must be notified to the Commissioner in the same way as other processing operations. No restrictions or other formalities apply in relation to transfer of personal data to:
- EU Member States;
- Member countries of the EEA; and
- Third countries (i.e. countries that are not Member States of the European Union) which are from time to time recognised by the EU Commission to have an adequate level of protection. Click here to view the official list.
The transfer of personal data to a third country that does not ensure an adequate level of protection requires an authorisation by the Commissioner.
In order to approve the transfer, the Commissioner must at least be satisfied that the controller has provided adequate safeguards, particularly by means of appropriate contractual provisions in accordance with the proviso of Article 28(3) of the Act.
EU Standard Contractual Clauses
For the purposes of adducing data protection safeguards the EU Commission issued standard contractual clauses which are deemed to provide an adequate level of data protection when data controllers transfer personal data outside EU/EEA. There are two types of contractual clauses which may be used depending on whether the data is transferred to a controller or a processor outside the EU/EEA.
1. “(EU-)controller to (Non-EU/EEA-)controller”
2. “(EU-)controller to (Non-EU/EEA-)processor”
The use of standard contractual clauses is recommended in order to ensure that the rights of individuals are safeguarded even in countries which do not ensure an adequate level of protection.
Notwithstanding the above, a transfer of personal data to a third country that does not ensure an adequate level of protection may be effected by a data controller if the data subject has given his unambiguous consent to the proposed transfer, and in the following cases:
(a) is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request;
(b) is necessary for the performance or conclusion of a contract concluded or to be concluded in the interests of the data subject between the controller and a third party;
(c) is necessary or legally required on public interest grounds, or for the establishment, exercise or defence of legal claims;
(d) is necessary in order to protect the vital interests of the data subject; or
(e) is made from a register that according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided that the conditions laid down in law for consultation are fulfilled in the particular case.
Although the Commissioner’s approval is not required in these cases, the transfer of personal data to such third countries should be notified to the Commissioner as a new process or as an amendment, unless it had already been notified in the original notification form (refer to the Notification Section). In analysing the data transfer, the Commissioner may request from the data controller any relevant information which he deems necessary, in order to verify that the necessary criteria to transfer under Article 28 are being adhered to.
Following the decision issued by the Court of Justice of the European Union (CJEU) in the case Schrems vs Data Protection Commissioner (Ireland), the Commission Decision 2000/520EC dated 26 July 2000, on the adequacy of the protection provided by the Safe Harbour privacy principles, was declared invalid by the CJEU Advocate General. The Court judgement requires that any adequacy decision implies a broad analysis of the third country domestic laws and international commitments.
A statement from the EU Commission on this decision may be found on the following link: http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm The US Safe Harbour is therefore no longer considered as an automatic assurance for the privacy of citizens when their personal data is transferred to the US.
Following such ruling, the EU data protection authorities assembled in the Article 29 Working Party have discussed the consequences of such decision a press statement, available on this link: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf
Data controllers previously transferring personal data under the Safe Harbour scheme are required to use alternative mechanisms as provided for under national law in order to guarantee an adequate level of data protection for similar transfers to the US.
Binding Corporate Rules
Binding Corporate Rules (BCR’s) are a set of rules implemented at corporate level by Multinational Groups of Organisations carrying out international data transfers within the Group. The scope of BCR’s is to allow the carrying out of intra-group data transfers, providing at the same time an adequate level of data protection across the Group. BCR’s are considered a useful tool for Multinational Organisations which by nature of their business operations are likely to carry out similar data transfers on a regular basis. An approval of a BCR implies that personal data may within the Group without necessarily having to sign an agreement with every intra-group entity in each and every processing operation involving an international data transfer.
The idea behind BCR’s is to have corporate rules which are both internally and externally binding. Internal commitment is ensured by means of appropriate intra-group agreements, undertakings, other regulatory measures and internal policies applicable between group entities and other rules directly binding upon employees. BCR’s should also be enforceable externally and therefore data subjects should be in a position to exercise third party beneficiary rights and seek compensation for damages even where information is transferred to non-EU jurisdictions.
In principle a BCR is only enforceable for transfers of personal data within the group. Therefore, in the case of data controllers or processors who are not group entities, and who are established in third countries not ensuring an adequate level of data protection, these should still be regulated by the appropriate model contractual clauses issued by the EU Commission. In the case of data controllers or processors operating in EU jurisdictions, the general provisions within community law would apply and therefore in the case of a data processor, a contractual agreement within the meaning of article 25 of the Data Protection Act (art.17 of Directive 95/46EC) would be sufficient.
In order to initiate the coordinated procedure for implementing Binding Corporate Rules, the corporate group should:
(a) Approach a Data Protection Authority to act as lead DPA; (the criteria for choosing the lead DPA are normally the location of the EU Headquarters of the Group or the EU Group Entity with delegated data protection responsibilities;
(b) Submit a standard application form for BCR’s adopted by way of Recommendation 1/2007 of the Article 29 Working Party which is a European Independent Advisory Body on Data Protection and Privacy set up under Directive 95/46EC. More information can be found at the following link:
So far the following procedure has been used to approve BCR’s:
- There is first contact with the DPA chosen to act as lead authority, and part I of the application form (WP 133) is submitted;
- The selected DPA informs other DPA’s on the application and acceptance of the lead authority is given within 1 month;
- The applicant submits part II of the application (WP 133) together with supporting documents to the lead DPA for review and discussion in order to agree on a consolidated draft and application;
- The lead DPA circulates the consolidated draft and DPA’s are requested to comment and suggest changes to the text within one month (time frame may be prolonged if there are comments/ amendments and a new version is circulated);
- Final draft is circulated to DPA’s for approval, after which the lead authority formally informs Article 29 Working Party that the procedure has been concluded.