Those in the EEA (European Union, plus Iceland, Liechtenstein and Norway) who wish to transfer personal data to the USA need to take extreme care. Many advisors suggest that, given the risks of contravening the EU legislation, it is opportune not to do so. What is clear is that you should not contemplate doing so without specialist legal advice. This is an overview of the situation as it exists at the time of writing although given the political implications there will be meetings a lobbying aplenty.
The Information Commissioner’s Office, www.ico.gov.uk, has created the Eight Principles of Good Practice with regard to the storage and use of personal data which have an impact on your email marketing. Principle eight requires that personal data should not be transferred to countries without adequate protection
‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.’
Most American legislation, including The Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003, The CanSpam Act, aimed at ensuring security of personal data differs fundamentally from the DPA. The most significant is that, in essence, they are codes of practice rather than firm, controlling legislation. Prosecutions for breaches of The CanSpam Act have been few and there can be little doubt that the USA does not come under the definition of a country which ‘ensures an adequate level of protection of the rights and freedoms of data subjects’.
This had led to a high level dispute between the EU and the USA, the history of which is not really relevant. However, it should be realised that the USA considers restrictions on transfer of data to the USA a restraint of trade. Talks between the USA and the EU have been going on for years with only one significant development: the Safe Harbour provisions. These are little more than a way round the requirement of the European Directive on Data Privacy and are of little interest to all but American firms.
It is essential to those engaged in direct email marketing to understand that Safe Harbour is not a safety net nor a defence to charges. You, as the data owner, retain responsibility for the security of the data.
Below is the criteria for compliance with Safe Harbour
Notice: This requires certain information to be given to those whose data you hold in ‘a clear and conspicuous manner’. This includes why you are collecting the data, how it is to be used, how they can limit its use and transfer, those to whom the data is to be transferred and contact details with regards to inquiries and complaints.
Choice: The phrase clear and conspicuous is used again to describe the required method of offering an opt out opportunity to restrict the use and disclosure of personal information. An opt-in method must be available for sensitive information, as defined.
Onward transfer: With one exception, the transfer of personal information must comply with the requirements of Notice and Choice above. The exception is in regard to a third party acting for the data holder in certain defined conditions.
Access: Those whose data you intend to transfer must have access to the information held on them and have the facility to correct it where it is inaccurate.
Security: An organisation performing a function with regards to personal information, including holding and maintaining it, must ensure that ‘reasonable’ measures exist to protect it from loss, unauthorised access, misuse, disclosure, alternation and destruction.
Enforcement: A readily available and affordable independent recourse for individuals whose personal data has not been dealt with in accordance with these principles should be available and there should be ‘consequences’ for an organisation which has not complied with these principles.
Data integrity: The personal information must be relevant to the purposes stated in the notice, and reasonable steps should be taken to ensure that the data is reliable, accurate, complete and current.
EU investigations as to the compliance with the Safe Harbour principles in practice have shown it is patchy at best. This has implications for those considering using Safe Harbour Principles for the transfer of data to the USA.
Data Principle 8 prohibits any export of personal data from the EEA, unless, inter alia, the importing state has adequate data protection laws. It seems clear that those in the USA would not be regarded as adequate.
It is you as the data holder who is responsible for its safe keeping. This responsibility cannot be transferred to a third party nor would complying with the principles of Safe Harbour be a defence.
It would seem that, until the matter is settled politically, and this does not seem likely for some time, transferring data to the USA is a great risk and a step that should not be undertaken lightly nor without legal advice.