Data Protection Commissioner
Data Protection Commissioner
Press Release - 20 December, 2001

European Communities (Data Protection) Regulations, 2001, signed into Law

EU Directive provisions regarding Transfers of Personal Data to Third Countries to take effect from 1 April 2002

The Data Protection Commissioner, Mr Joe Meade, today welcomed the initiative of the Minister for Justice, Equality & Law Reform in signing new regulations which will bring into Irish law some of the provisions of the 1995 Data Protection Directive.

The Regulations, called the European Communities (Data Protection) Regulations, 2001, were signed by the Minister on 19 December 2001, and will implement Articles 4, 17, 25 and 26 of Directive 95/46/EC, which impose strict privacy rules regarding transfers of personal data to "third countries", i.e. countries outside of the European Economic Area (EEA). [Note: the EEA is comprised of the fifteen EU countries, together with Iceland, Norway and Liechtenstein.]

LINK» more about the EU Directive's rules regarding transfers of personal data to third countries

The Regulations, which come into force on 1 April 2002, provide that organisations may not transfer personal data to third countries which do not have an adequate standard of data protection - unless the organisation can point to other safeguards to protect people's privacy. Such safeguards could include appropriate contractual provisions, or the clear consent of the individuals in question. The EU Commission issues rulings regarding the adequacy of data protection levels in third countries, and regarding appropriate "model contracts" which organisations may use. Where the EU Commission has not made a ruling on such matters, the Data Protection Commissioner may be called upon to authorise a particular transfer of personal data, or to authorise particular types of transfer.

It is noteworthy that the contractual rule regarding "privity of contract" is set aside in the case of "model contracts", or contracts approved for this purpose by the Data Protection Commissioner. This means that individuals will be able to enforce contractual safeguards involving the handling of their own personal data by bodies outside the EEA, in the same way as if the individuals were themselves a party to the contract.

The Regulations also implement Article 17 of the Data Protection Directive, dealing with security measures for processing personal data. The Regulations therefore clarify that data controllers must put in place appropriate security provisions for the protection of personal data, having regard to the current state of technological development, the cost of implementing security measures, the nature of the personal data, and the harm that might result from unauthorised processing or loss of the data concerned. In particular, the Regulations will make it compulsory to engage the services of data processors - agents who process personal data on behalf of a data controller - only on the basis of an appropriate written contract, together with other safeguards. In addition, the Regulations clarify the territorial application of Irish data protection law to data controllers established in the State, and to data controllers established outside the EEA who process data in the State. Data controllers in the latter category must designate a representative in the State.

Further details and guidance on the new Regulations will be placed on the Data Protection Commissioner's website, www.dataprivacy.ie, before the end of January 2002.

LINK» text of the European Communities (Data Protection) Regulations 2001

Media Queries:
Mr Ronnie Downes
Asst Commissioner
Telephone (01) 874 8544
Fax: (01) 874 5405

e-mail: rdownes@dataprivacy.irlgov.ie