By Brendan Ringrose. Solicitor. WhitneyMoore. 3rd February 2014
1. Transfers of data outside of Ireland
Many Irish companies process or store their personal data (or send their data to data processors to be processed) in the United States or other jurisdictions outside of the European Union. If your company is proposing to store its personal data outside the European Economic Area (EEA) (which is comprised of Iceland, Liechtenstein and Norway) and the 27 member states of the European Union (EU)), you should think about this carefully in order to ensure your company is in compliance with Irish Data Processing/Data Privacy law. The general rule is that personal data cannot be transferred outside the EEA unless the country ensures an adequate level of data protection. The EU Commission has determined the countries that are deemed to provide an adequate standard of data protection. Only Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra , Israel, New Zealand and Uruguay have been approved in full.
The transfer of personal data by a company to a location outside of the EEA (other than to these ten jurisdictions) is a transfer to an unapproved “third country”. This includes a transfer to the United States since the United States is deemed in principle not to have adequate data protection for the purposes of the Acts. Such a transfer is prohibited pursuant to the Act. However, if the company transferring the data is eligible for one of the exceptions to the prohibition which are set out in the Act the transfer would be permitted. The company which is transferring the data is called a data exporter and the company receiving the data is referred to as a data importer.
2 The most usual Exceptions
One of the exceptions applies to “Safe Harbours”. A safe harbour is a data security arrangement which is approved by the United States Department of Commerce and to which the data importer is a party. It is important to note that this applies only to companies operating in the United States. If a company has entered into a Safe Harbour agreement it means that EU and Irish law considers the level of protection for data afforded by the Safe Harbour to be equivalent to that under EU and Irish law.
A “Model Contract” for the purpose of the Act is where the transfer has been authorised by the Irish Data Protection Commissioner and where the transfer is made on terms of a kind approved by the Commissioner as ensuring such safeguards.
Therefore a data controller in Ireland, intending to transfer personal data outside of the EEA, may use a Model Contract as the basis for its relationship with the third-country organisation in the country in which the data is received by the data importer. The Irish Data Protection Commissioner has confirmed that ordinarily, the Commissioner will only consider authorising contracts that are general in nature, i.e. ‘model contracts’ that can be relied upon by a number of different data controllers within a sector or category.
Binding corporate rules
In the case of a multinational company, the data controller can use EU-approved ‘binding corporate rules’ for international transfers within the company. BCRs allow an Irish company together with its group entities in the destination country to adopt common data processing standards that are compatible with EU data protection law.
There are several other exemptions from the general prohibition on transfers of data most notable of which is where the data processor obtains the consent of the data subject to the transfer. The nature of the consent which must be obtained is deal with below. The exceptions (other than consent) include where the transfer is:
- required by legislation, (i.e. it must be mandatory under law);
- necessary for the purposes of obtaining legal advice and where the transfer is necessary to prevent injury to the data subject,
- necessary for the performance of a contract,
- necessary for reasons of public interest, or
- of part only of the personal data on a register established by an enactment, being a register intended for consultation by the public or a register intended for consultation by persons having a legitimate interest in the subject matter.
3 The final Exception: Consent
The Act provides as an exception to the prohibition on transfer outside the EEA being that a company may obtain the consent of the data subject to the transfer. The legislation does not set out exactly what is required by consent. The relevant EU Directive requires that ‘consent’ must be freely given and informed. Consent to the transfer of data must be explicitly given by each data subject but what is explicit is not defined. One view of the nature of the consent to be given by a data subject is that it would need to provide for the following in order to comply with the Act:
- The consent of each data subject must be given before the collection and/or data transfer;
- The consent of the data subject would need to be in writing;
- The consent would need to specify the reason for the transfer and the country in which the data is being held (the “third country”).
There are additional restrictions where sensitive data is being transferred. According to the Irish Data Commissioner data controllers should therefore be very cautious about relying on consent as a basis for data transfer since, in practice, demonstrating that such consent is clear, unambiguous, freely given and specific is likely to be difficult. In reality it would be preferable to rely on one of the other bases such as Safe Harbour, BCRs or Model clauses.
(This is Part 2 of a two part series of articles on Data Processing.)
Brendan Ringrose (Brendan.email@example.com) is a Corporate Lawyer in WhitneyMoore Solicitors, Dublin 2 and advises on all aspects of data processing, data protection, shareholders agreements, share sale agreements and corporate contracts.
WhitneyMoore Solicitors, Wilton Park House, Wilton Place, Dublin 2. Telephone ++ 353 (0)1 6110000.