The Dangers of Transferring Data Outside of Ireland

David Fagan of Business Legal provides guidance on transferring personal data outside Ireland. David states a transfer between European Union jurisdictions is relatively painless and straightforward, yet warns a transfer to other jurisdictions is a little more tricky. He states it is advisable to replicate aspects of the European Union data privacy regime to ensure there is an adequate level of protection in place. David identifies a number of jurisdictions that have been designated safe yet, when transferring outside of these jurisdictions, suggests ways in which organisations can protect or legitimise the transfer, for example by way of consent or by using model clause contracts.

Transcription

I suppose the first thing to say is that transferring personal data across any border is technically a transfer in data protection terms and theoretically the Data Protection Commissioner in Ireland has the power to prevent such a transfer. So theoretically the Data Protection Commissioner could, if it wished, decide that a transfer from Ireland to the UK was an unlawful transfer. However, in order to do so the Data Protection Commissioner would have to make a positive order to that effect, and to my knowledge, it has never done so.

A transfer between European Union jurisdictions, therefore, is relatively painless and straightforward. A transfer to other jurisdictions, however, requires that the European Union data privacy regime be replicated to some extent, either in the case of some data that there is a private scheme put in place by companies seeking to transfer data, giving roughly equivalent rights as would be given within the European Union for the processing of that data, or alternatively, that some jurisdictions are simply considered safe by the European Union.

In essence, Section 11 of the Data Protection Acts as they currently are constituted requires that there is an adequate level of protection, and that is with regard to the nature of the data or the purpose and period for which the data is processed inside Ireland, the country of origin of the data, the final destination of the data, the law of the final destination country, the codes of conduct, if any, in the destination country, the security measures in the final destination country, and the international obligations of that country. However, whilst that's the theory, in practice, certain jurisdictions have simply been designated as safe. These are Andorra, Argentina, Canada for some purposes but not others, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

Two notable absentees from that list perhaps are Australia and the US, and indeed Canada is only considered safe for private organisations and not either charities or the state. This is because private organisations are regulated for data privacy in Canada but the state and the charities have different regulations that the EU does not consider equivalent to EU protection.

So, if you wish to transfer data to a country that is not within the EU or the EEA, that is to say the EU plus Liechtenstein, Norway, or indeed Switzerland (which is not a member of the EEA but is considered the same for data protection purposes due to a bilateral agreement) if you wish to transfer data outside of those jurisdictions, then you either transfer data to one of the safe jurisdictions I’ve mentioned already, or you need to legitimise that transfer in some way.

Those methods are consent, that is to say, that the data subject, the person about whom the data that person or the data is about, that data subject has consented to transfer to their jurisdiction. Or there is a method known as model clause contacts. These are standard form contracts which within the body of that contract set out the security arrangements for the handling of that data, or for transfers within corporate groups that are what are known as binding corporate rules. These are arrangements in a group structure of companies, whereby the companies agree how that data is to be handled within the group.

And also for the US, there was what was known as the Safe Harbour Registration, which came to an end due to a court challenge and is now being replaced with the Privacy Shield arrangement. In essence what Privacy Shield is a negotiation between the EU and the US, and in essence, it is a civil law method of dealing with data protection. Companies who sign up to the Privacy Shield arrangement agree by contract effectively to deal with data in a particular way, and the European Union currently is happy with that arrangement.

However, the original arrangement known as Safe Harbour was ended by a court case from Mr. Max Schrems and Mr. Schrems has threatened, I believe, further action against the Privacy Shield arrangement. So it is not absolutely certain how long that Privacy Shield arrangement will last. It may last for quite some time or, indeed, permanently or it could be subject to further legal challenge.