Section 11 of the Data Protection Acts 1988 and 2003 specify conditions that must be met before personal data may be transferred to third countries. Organisations that transfer personal data from Ireland to third countries – i.e. places outside of the European Economic Area (EEA) – will need to ensure that the country in question provides an adequate level of data protection. Some third countries have been approved for this purpose by the EU Commission. The adequacy decision of the European Commission which underpinned the US 'Safe Harbour' arrangement has now been invalidated by a decision of the Court of Justice of the European Union of 06 October 2015 (Case C-362/14). Consequently, it is no longer lawful to make transfers on the basis of the EU-US Safe Harbour framework.
More details on each of the above points are given below.
The "adequacy" test relates to all of the circumstances surrounding a proposed transfer of personal data, including the nature of the data, the purposes for the transfer, the laws in force in that country, and the security measures in place. The EU Commission maintains a list of approved countries which are regarded as satisfying this requirement. So if a country appears on this "approved list", then Irish data controllers may transfer personal data to such countries, in the same way as if the transfer were being made within Ireland, or within the EEA.
Answer: So far, only Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay have been approved in full. Canada has been approved for certain types of personal data. The Commission has also approved the transfer of advance airline passenger data to the US, Canada and Australia. The EU Commission website gives full information about which third countries have been approved for data protection purposes,
Answer: The Regulations make it clear that any EU findings about the adequacy or inadequacy of a third country's data protection regime are definitive, and cannot be second-guessed by national data protection authorities or by data controllers. However a Commission adequacy decision cannot prevent an individual from lodging a complaint concerning the protection of their rights and freedoms in regard to the processing of data in a third country and the National Data Protection Authority must investigate the complaint. It is also open to the individual or the national authority to bring the matter before the national courts in order to effect a referral to the Courts of Justice of the European Union. The Regulations also envisage situations where the Data Protection Commissioner may consider that a third country does not ensure an adequate level of data protection. In such situations, the Regulations require the Commissioner to inform the EU Commission, and the other Data Protection authorities throughout the EU, of his opinion. If the Data Protection Commissioner were to form such a view, it would be reasonable and prudent for Irish data controllers to regard such a view as authoritative, until such time as the view has been modified by the EU Commission.
If neither the EU nor the Commissioner has expressed a view on the matter, then in theory a data controller might form its own view that a third country ensures an adequate level of data protection. However, this practice is not recommended, as the Data Protection Commissioner might form a different view, and might issue a prohibition notice to prevent the transfer of data. Generally speaking, it would be unwise to attempt to transfer personal data to "unapproved" countries, without first consulting the Data Protection Commissioner's Office, or without using the other alternative mechanisms which are discussed below.
Answer: No, this is not the case. If a country is not approved by the EU Commission as providing an adequate standard of data protection, a data controller can still transfer personal data to such a country by using one of the alternative procedures, such as using an approved contract. More details about these alternative provisions are given in the next section, below.
Transferring Personal Data to Non-Approved Third Countries
The Nine Alternative Measures;
If a country does not appear on the EU Commission's "approved list", then Irish data controllers must normally enter into approved contractual arrangements which guarantee the rights of the individuals concerned. In certain limited circumstances – especially where the individual data subject has clearly given her or his consent – transfers of personal data may take place even if the level of protection to be afforded to the transferred data cannot be guaranteed in law. The narrow scope of these circumstances is spelled out in the Article 29 Working Party document of 25 November 2005. The full list of available options, as set out in Section 11 (4) of the Data Protection Act, is as follows:
If a data controller can point to one or more of the following alternatives, then the transfer of personal data to the third country may proceed:
(i) the transfer of personal data is required or authorised by law
Comment: If a data controller is subject to a requirement under Irish law to transfer personal data to a third country, or is clearly authorised by Irish law to make the transfer, then the transfer may proceed.
(ii) the data subject (i.e. the individual to whom the personal data relates) has given his or her consent to the transfer
Comment: If you wish to transfer a database containing records about many individuals to a third country, then – in order to rely on this provision – you need to obtain the consent of each one of these individuals before you can transfer their data. In interpreting what is meant by the word 'consent', the Data Protection Commissioner will have regard to relevant provisions of the 1995 EU Directive, which refers to the 'unambiguous consent' of individuals in this context. The Directive also requires that 'consent' must be freely given and informed. Data controllers should therefore be extremely cautious about relying on consent as a basis for data transfer since, in practice, demonstrating that such consent is clear, unambiguous, freely given and specific is likely to be problematic. Relying on consent is not normally appropriate for repeated or massive transfers. Additionally the information given to data subjects must also include the specific risk resulting from the fact that their data will be transferred to a country that does not provide adequate protection. The consent has to be given on the basis of sufficiently precise information, including information on the lack of protection in the third country.
(iii) the transfer is necessary for the performance of a contract to which the data subject is party; or the transfer is necessary for the taking of steps – at the request of the data subject – with a view to his or her entering into a contract with the data controller
(iv) the transfer is necessary to conclude a contract (or to perform a contract) between the data controller and someone other than the data subject, in cases where the contract is entered into at the request of the data subject, or where the contract is in the interests of the data subject
Comment: Data controllers should be cautious about relying on provisions (iii) and (iv) since the "necessity" test rules out use of these provisions other than in very specific circumstances. For example, it would not be prudent to rely solely on these provisions for the transfer of employee data within a multinational company.
(v) the transfer is necessary for reasons of substantial public interest
Comment: this basis is only likely to be relevant to public sector data controllers and only in circumstances where they can show that there is a substantial Irish public interest in the transfer of personal data
(vi) the transfer is necessary for obtaining legal advice or for legal proceedings
Comment: This provision appears to be of relevance only in two situations. The first situation is where a data controller wishes to obtain legal advice from a legal adviser located in a third country, and where the data controller needs to make personal data available to the adviser for this purpose. The second situation is where a data controller in Ireland is involved as a party in legal proceedings in a third country, and the data controller needs to make personal data available in that third country for the purpose of the legal proceedings.
(vii) the transfer is necessary to prevent injury or other damage to the data subject's health, or to prevent serious damage to his or her property, or to protect his or her vital interests in some other way – provided that it is not possible to inform the data subject, or obtain his or her consent, without harming his or her vital interests
Comment: Naturally, data protection considerations are sometimes outweighed by other considerations, such as the protection of life and limb. This provision allows data controllers to transfer personal data to third countries in such situations. However, before relying on this provision, data controllers must first establish whether it is possible to obtain the person's consent. Only if this is not possible – for example due to urgency of time – can this provision be invoked.
(viii) the personal data to be transferred are an extract from a statutory public register, i.e. a register established by law as being available for public consultation, or as being available for consultation by persons with a legitimate interest in its contents. In the latter case, the transfer must be made to a person having such a legitimate interest and subject to compliance by that person with any relevant conditions
Comment: It is permissible to make personal data, derived from a public register, available in a third country. It is not permissible to transfer the whole of such a register to a third country. If a statutory register is available for inspection by persons demonstrating a legitimate interest, then this condition – and any other conditions – must be fully complied with before the personal data can be made available.
(ix) the transfer is authorised by the Data Protection Commissioner where the data controller can point to adequate data protection safeguards, such as approved contractual provisions. The EU Commission has approved "model contracts" to assist data controllers in this regard, and such contracts would automatically fall under this provision. The Data Protection Commissioner also has the power to endorse "model contracts" specific to Irish circumstances, as well as the power to approve particular contracts or other arrangements that provide satisfactory safeguards. In practice, it is likely that most transfers to 'unapproved' third countries will be on the basis of model contracts.
In the case of multinational companies with operations inside and outside the EU, the use of so-called binding corporate rules – legally enforceable privacy/data protection codes of practice – can offer an alternative or complementary mechanism for approved international transfers within the global corporate entity. A company interested in this option should apply for approval of its rules to the data protection authority of the EU Member State where its headquarters, or main EU centre of activity, is based. Further information and guidance on this mechanism are available on the EU Commission website.
The Commissioner has the power to prohibit the transfer of personal data to any country (not just third countries), except in cases where the transfer is required or authorised by law, or where the transfer is required by an international agreement which Ireland is obliged to enforce. Click here for more information about prohibition notices.
The rules regarding transfers to third countries can be summarised as follows. Clicking on a highlighted phrase will take you straight to more details about each particular topic.