Data transfer according to British law

Transferring and transmitting data abroad

The eight principle of the UK Data Protection Act (DPA) 1998 (ENG) contains a general provision on international data transfer. Furthermore, it also contains a guide from the UK Information Commissioner (ICO), www.ico.org.uk on information for international data transfer.

A distinction is to be made between data traffic inside and outside the European Union (EU) and the European Economic Area (EEA).

Data traffic inside the EEA

The data Protection Directive 95/46/EC and the UK DPA permit data transmission within the EU/EEA.

Under the UK Data Protection Act, the rules may be applied only in such a way that the free movement of personal data between the Member States of the European Union is not impaired or prohibited.

Data traffic outside the EU/EEA

According to the 8th principle of the DPA, free data traffic is only permitted with countries outside the EU/EEA if they ensure an adequate level of data protection. This provision shall also apply if processing personal data is outsourced to a third-party country.

In the explanation on the eight principle, the DPA refers, in Schedule I, Part 2, to the Data Protection Directive and states that the appropriateness of the level of protection offered by a third-party country is to be judged in consideration of all circumstances, which play a part when transferring data or a category of data transfers; in particular, the type of data, the purpose as well as the duration of  the processing envisaged, the country of origin and destination  and the general or sectoral legal standards in the third-party county are to be considered.

Exceptions to the ban

Notwithstanding the ban in the 8th principle, Schedule IV of the DPA contains a variety of exceptions under which forwarding personal data to a country outside the EEA, which is unable to guarantee an appropriate level of protection, can be permitted.

A transfer is permitted if the data subject has given his/her consent without a shadow of a doubt or if the processing is necessary for protecting national security.

Furthermore, Schedule IV of the DPA guarantees the transfer to a third-party country, if the transfer is necessary, for

  • for fulfilling a contract between the data subject and the data controller responsible for processing the data or for carrying out pre-contractual measures when requested to do so by the data subject.
  • concluding or complying with a contact, which has been concluded or concluded with a third party in the interest of the data subject by the data controller.
  • protection of the public interest
  • the transfer for protecting or defending legal claims,
  • the use of legal aid,
  • the transfer is necessary for the protection of the data subject’s vital interests.

Additional exceptions apply, if

  • passing on personal data is part of a public directory, under the precondition of the directory being subject to regular inspection;
  • the transfer meets the conditions approved by the ICO;
  • the transfer is carried out for journalistic, artistic or literary purposes;
  • the transfer is carried out for domestic purposes.

Binding Corporate Rules

Personal data can be transferred to organisations in the same group to third-party countries as long as “binding corporate rules” (BCRs) are applied.

Organisations that issue a request for BCRs must demonstrate that their BCRs display adequate protection measures. The regulations for BCRs in the United Kingdom comply with the recommendations of the Article 29 Working Party. The BCRs must be approved by the responsible data protection authority.

In the event of the ICO being the responsible data protection authority then the standard form of the Article 29 Working Party shall be used for the request.

The ICO guide contains in-depth, useful information on BCRs:

Standard contractual clauses

On the basis of Article 26(2) of the EU Data Protection Directive 95/46/EC, transferring personal data to third-party countries, without an appropriate level of protection, is permitted if the data collector provides sufficient guarantees in terms of the protection of privacy, basic rights and basic freedoms of the individuals, as well as in terms or exercising any associated rights.

In accordance with Schedule 4 of the DPA, a transfer of personal data can take place once the ICO’s approval has been obtained. In accordance with this, the ICO’s standard contractual clauses must be approved before the transfer can take place.

The DPA is built upon 8 principles, which must be complied with if a transfer of data occurs outside the EEA. Should a data collector use model contract clauses to demonstrate sufficient guarantees then these 8 principles must be incorporated.

Additional information on standard contractual clauses can be found in an ICO guide: