Organisations that transfer personal data from Ireland to third countries – i.e. places outside of the European Economic Area (EEA) – will need to ensure that the country in question provides an adequate level of data protection.  Some third countries have been approved for this purpose by the EU Commission.  The US ‘Safe Harbour’ arrangement has also been approved, for US companies which agree to be bound by its data protection rules.  In the case of countries that have not been approved in this way, there are a number of other ways in which a data controller can ensure that the data protection rights of individuals are respected.  The Controller can use EU-approved ‘model contracts’ which contain data protection safeguards to EU standards.  In the case of a multinational company, the data controller can use EU-approved ‘binding corporate rules’ for international transfers within the company. 

In certain limited circumstances – especially where the individual data subject has clearly given her or his  consent – transfers of personal data may take place even if the level of protection to be afforded to the transferred data cannot be guaranteed in law.  The narrow scope of these circumstances is spelled out in  the Article 29 Working Party document WP 114 of 25 November 2005.  

A best practice approach would be for a data controller planning an international data transfer to consider first whether the third country provides an adequate level of protection and to satisfy himself or herself  that the exported data will be safeguarded in that country. In the case of data transfers  to the US, the controller exporter may want to encourage the importer to subscribe to the Safe Harbor principles. If the level of protection in the third country is not adequate in the light of all the circumstances surrounding a data transfer, the data controller should consider  providing adequate safeguards through use of EU-approved ‘model contracts’ or ‘binding corporate rules’.  Only if this is truly not practical and/or feasible should  the data controller  consider relying on data subject consent or the other derogations provided for in law.  This is particularly so in the case of  repeated  transfers of  personal data, especially where the data involved in sensitive.  

The rules regarding transfers to third countries can be summarised as follows.  Clicking on a highlighted phrase will take you straight to more details about each particular topic.

1. The general rule is that personal data cannot be transferred to third countries unless the country ensures an adequate level of data protection. The EU Commission has prepared a list of countries that are deemed to provide an adequate standard of data protection.

2. If the country does not provide an adequate standard of data protection, then the Irish data controller must rely on use of approved contractual provisions or one of the other alternative measures,  provided for in Irish Law.

3.  The Data Protection Commissioner retains the power to prohibit transfers of personal data to places outside of Ireland, if he considers that data protection rules are likely to be contravened, and that individuals are likely to suffer damage or distress as a result.

More details on each of the above points are given below. 

 Adequate Standard of Data Protection

As mentioned above, the general rule is that – from 1 April 2002 – personal data cannot be transferred to third countries unless the country ensures an adequate level of data protection.  A “third country” is a country outside of the European Economic Area (EEA).  (Note:  The European Economic Area is made up of the twenty-seven EU Member States as well as Norway, Iceland and Liechtenstein.)  

The “adequacy” test relates to all of the circumstances surrounding a proposed transfer of personal data, including the nature of the data, the purposes for the transfer, the laws in force in that country, and the security measures in place.  The EU Commission maintains a list of approved countries which are regarded as satisfying this requirement.  So if a country appears on this “approved list”, then Irish data controllers may transfer personal data to such countries, in the same way as if the transfer were being made within Ireland, or within the EEA.

Question:  What countries are on the EU’s approved list?
Answer: So far, only Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands and Jersey have been approved in full.  Canada has been approved for certain types of personal data.  The  ‘Safe Harbour’ arrangement – a voluntary but enforceable code of good data protection practice, established by the US Department of Commerce – has also been approved, to facilitate transfers of personal data to US organisations which have signed up to the arrangement. The Commission has also approved the transfer of advance airline passenger data to the US, Canada and Australia. (Transfers of personal data to other US organisations, which have not signed up to the Safe Harbour arrangement, are subject to the same restrictions as transfers to other unapproved third countries.)  The EU Commission website gives full information about which third countries have been approved for data protection purposes, and about the Safe Harbour arrangement.  Further details about the Safe Harbour arrangement, including a list of US companies which have signed up to the arrangement, are also available at the US Department of Commerce website.

Question:  If a country is not on the EU’s 'approved list', can anyone else make a judgement about whether a country provides an adequate level of data protection?
Answer:  The Regulations make it clear that any EU findings about the adequacy or inadequacy of a third country’s data protection regime are definitive, and cannot be second-guessed by national data protection authorities or by data controllers.  The Regulations also envisage situations where the Data Protection Commissioner may consider that a third country does not ensure an adequate level of data protection.  In such situations, the Regulations require the Commissioner to inform the EU Commission, and the other Data Protection authorities throughout the EU, of his opinion.  If the Data Protection Commissioner were to form such a view, it would be reasonable and prudent for Irish data controllers to regard such a view as authoritative, until such time as the view has been modified by the EU Commission.

If neither the EU nor the Commissioner has expressed a view on the matter, then in theory a data controller might form its own view that a third country ensures an adequate level of data protection.  However, this practice is not recommended, as the Data Protection Commissioner might form a different view, and might issue a prohibition notice to prevent the transfer of data.  Generally speaking, it would be unwise to attempt to transfer personal data to “unapproved” countries, without first consulting the Data Protection Commissioner’s Office, or without using the other alternative mechanisms which are discussed below.

Question:  If a third country is not on the EU’s approved list, does this mean a data controller cannot transfer personal data to such a country?
Answer:  No, this is not the case.  If a country is not approved by the EU Commission as providing an adequate standard of data protection, a data controller can still transfer personal data to such a country by using one of the alternative procedures, such as using an approved contract.  More details about these alternative provisions are given in the next section, below.   

 Transferring Personal Data to Non-Approved Third Countries

The Nine Alternative Measures  
If a country does not appear on the EU Commission’s “approved list”, then Irish data controllers must normally enter into  approved contractual arrangements which guarantee the  rights of the individuals concerned.  In certain limited circumstances – especially  where the individual data subject has clearly given her or his  consent – transfers of personal data may take place even if the level of protection to be afforded to the transferred data cannot be guaranteed in law.  The narrow scope of these circumstances is spelled out in  the Article 29 Working Party document WP 114 of 25 November 2005. The full  list of available options, as set out in Section 11 (4) of the Data Protection Act, is as follows:

If a data controller can point to one or more of the following eight alternatives, then the transfer of personal data to the third country may proceed:

  (i)   the transfer of personal data is required or authorised by law

Comment: If a data controller is subject to a requirement under Irish law to transfer personal data to a third country, or is clearly authorised by Irish law to make the transfer, then the transfer may proceed.

  (ii)  the data subject (i.e. the individual to whom the personal data relates) has given his or her consent to the transfer

Comment: If you wish to transfer a database containing records about many individuals to a third country, then – in order to rely on this provision – you need to obtain the consent of each one of these individuals before you can transfer their data.  In interpreting what is meant by the word ‘consent’, the Data Protection Commissioner will have regard to relevant provisions of the 1995 EU Directive, which refers to the ‘unambiguous consent’ of individuals in this context.  The Directive also requires that 'consent' must be freely given and informed. Data controllers should therefore  be extremely cautious about relying on consent as a basis for data transfer since, in practice, demonstrating that such consent is  clear, unambiguous, freely given and specific is likely to be problematic.

(iii) the transfer is necessary for the performance of a contract to which the data subject is party;  or the transfer is necessary for the taking of steps – at the request of the data subject – with a view to his or her entering into a contract with the data controller

(iv) the transfer is necessary to conclude a contract (or to perform a contract) between the data controller and someone other than the data subject, in cases where the contract is entered into at the request of the data subject, or where the contract is in the interests of the data subject

Comment: Data controllers should  be cautious about relying on provisions (iii) and (iv) since the “necessity” test rules out use of these provisions other than in very specific circumstances.  For example, it would not be prudent to rely solely on these provisions for the transfer of employee data within a multinational company.

(v) the transfer is necessary  for reasons of substantial public interest

Comment:  this basis is only likely to be  relevant to public sector data controllers and only in circumstances where they can show that there is a substantial Irish public interest in the transfer  of personal data

(vi) the transfer is necessary for obtaining legal advice or for legal proceedings

Comment: This provision appears to be of relevance only in two situations.  The first situation is where a data controller wishes to obtain legal advice from a legal adviser located in a third country, and where the data controller needs to make personal data available to the adviser for this purpose.  The second situation is where a data controller in Ireland is involved as a party in legal proceedings in a third country, and the data controller needs to make personal data available in that third country for the purpose of the legal proceedings. 

(vii) the transfer is necessary to prevent injury or other damage to the data subject’s health, or to prevent serious damage to his or her property, or to protect his or her vital interests in some other way – provided that it is not possible to inform the data subject, or obtain his or her consent, without harming his or her vital interests

Comment:  Naturally, data protection considerations are sometimes outweighed by other considerations, such as the protection of life and limb.  This provision allows data controllers to transfer personal data to third countries in such situations.  However, before relying on this provision, data controllers must first establish whether it is possible to obtain the person’s consent.  Only if this is not possible – for example due to urgency of time – can this provision be invoked. 

(viii) the personal data to be transferred are an extract from a statutory public register, i.e. a register established by law as being available for public consultation, or as being available for consultation by persons with a legitimate interest in its contents.  In the latter case, the transfer must be made to a person having such a legitimate interest, and subject to compliance by that person with any relevant conditions

Comment: It is permissible to make personal data, derived from a public register, available in a third country.  It is not permissible to transfer the whole of such a register to a third country.  If a statutory register is available for inspection by persons demonstrating a legitimate interest, then this condition – and any other conditions – must be fully complied with before the personal data can be made available.

or

(ix) the transfer is authorised by the Data Protection Commissioner where the data controller can point to adequate data protection safeguards, such as approved contractual provisions.  The EU Commission has approved “model contracts” to assist data controllers in this regard, and such contracts would automatically fall under this provision.  The Data Protection Commissioner also has the power to endorse “model contracts” specific to Irish circumstances, as well as the power to approve particular contracts or other arrangements that provide satisfactory safeguards.  In practice, it is likely that most transfers to ‘unapproved’ third countries will be on the basis of model contracts.

In the case of multinational companies with operations inside and outside the EU, the use of so-called binding corporate rules – legally enforceable privacy/data protection  codes of practice – can offer an  alternative or complementary  mechanism for approved international transfers within the global corporate entity.  A company interested in this option should apply for approval of its rules to the data protection authority of the EU Member State where its headquarters, or main EU centre of activity, is based.  Further information and guidance on this mechanism are available in the Article 29 documents  WP 74 (3 June 2003),  WP 107 (14 April 2005), WP 108(14 April 2005), WP 153(24 June 2008), WP 154(24 June 2008) and WP 155(24 June 2008).

 Power of the Data Protection Commissioner to Prohibit Transfers

The Commissioner has the power to prohibit the transfer of personal data to any country (not just third countries), except in cases where the transfer is required or authorised by law, or where the transfer is required by an international agreement which Ireland is obliged to enforce.  Click here for more information about prohibition notices.