The Transfer of Personal Data to Third Countries Under EU Directive 95/46/EC

Abstract

The 1981 Council of Europe Convention 108 and EU Directive 95/46/ EC assert that data protection is privacy protection. Consequently, countries with data protection rules control trans-border data flows to protect the rights of their citizens. Under the Directive, but subject to some derogations, personal data may only be transferred to third countries with adequate protection. 'Adequacy' is to be assessed in the light of all the circumstances. Alternative safeguards can be provided by means such as contractual arrangements. The Data Protection Commissioners have tried to define 'adequacy' as the usual data protection principles plus an assurance of compliance. This can be delivered by self-regulation as well as formal law. The Directive has not made a radical break with the past. The usual principles are those found in Convention 108 and in the 1980 OECD Guidelines. Those instruments also dealt with the control of trans-border data flows because of fears of restrictions on the free flow of information. The flexibility of the effective current UK law, which permits flows whilst preventing those which would lead to a breach of data protection, would have prevented the acrimony of the current debate with third countries. National laws on transborder data flows long pre-date the Directive and data protection authorities can be expected to continue to promote pragmatic methods of protecting exported data such as the use of model contracts either as a basis for derogation from 'adequacy' or as part of a package to satisfy the adequacy test. Work is taking place to build bridges between those with formal law and others relying on self-regulation. In Ottawa last October OECD ministers reaffirmed the 1980 Guidelines and if practical privacy protection can be secured globally, transborder data-flow control is of much less concern.