Gathering Clouds: Transferring Data Outside the UK

by Michael Smith (Veshengro)

While data protection is standardised to a large degree in the European Economic Area (EEA) and transfers within the EEA raise no issues, in general, transfers to most other jurisdictions, notably here the USA, may raise complex legal issues, and also privacy issues.

The 8th principle of the Data Protection Act 1988 ('DPA') stipulates that personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The USA does not seem to do that and too many of its alphabet agencies like to lay their hands on data from the UK, for instance.

However, in a global, increasingly cloud-based economy, data transfers between the EEA and the USA and other countries are inevitable. Thus, mechanisms have been developed to accommodate this. First there are the 'Safe Harbor' rules to which US companies may sign up agreeing to be bound by rules akin to those set out in the DPA. There are also Binding Corporate Rules ('BCR') and Model Contractual Rules ('MCR') that can be invoked to address the problem. BCR are a set of inter-company rules reflecting the 8 DPA principles. These are only valid for data transfers from EEA companies to their non-EEA affiliates. The European Commission has approved MCR which comprise model contractual clauses that can be implemented into contracts for data transfers from EEA companies to unaffiliated non-EEA companies.

The DPA distinguishes between a Data Controller is a person who alone, jointly or in common with others determines the purposes for which and the manner in which any personal data are processed and is responsible for ensuring compliance with the provisions of the DPA. Where Data Controllers have external contractors process data on their behalf, the latter are known as "Data Processors". But the Data Controller nevertheless remains responsible for the actions of the Data Processors.

Where an EU Data Controller sends personal data to a non-EEA Data Processor, the MCR can be invoked. In today's cloud-based environment, data may pass through numerous different processors and countries. It is not realistic to expect the Data Controller to monitor each such transfer so it has been deemed sufficient for the non-EEA Data Processor to obtain the consent of the EU Data Controller prior to entering into an agreement to send personal data to a sub-processor and for the Data Processor to enter into an agreement with sub-processors to process and handle the data in accordance with EU data protection law.

Binding rules or not knowing the interest of the agencies in the United States it will have to said that data transfer, especially data such as medical records, and other government records of residents of the UK and EU member states, to clouds based in the USA will not be a good idea at all.

While it is said that this and that rule is in place and that American companies sign up to those the fact is that should their agencies demand data they will (have to) hand it over.

We must remember that the jurisdiction of the country in which the servers are based applies and not the jurisdiction of any of the EU member states, such as the United Kingdom.

With any such data, especially sensitive personal data, based in the cloud on servers in the USA (or elsewhere) we can all kiss the notion of privacy goodbye and we should resist and work to prevent any government data being sent from our country to a foreign one.

© 2010