D11.3: Economic aspects of mobility and identity

Title: DATA TRANSFER TO THIRD COUNTRIES

Data transfer to third countries

A large amount of personal data (especially traffic and location data) is collected and processed with regard to mobility. As far as the transfer of data is realised within the Internal Market of the EU, Article 1(2) lifts the barriers between the Member States: “Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph 1”. However, in cases where the personal data are to be transferred to countries outside the European Union or the EEA, this may only take place if the third country in question ensures an adequate level of protection or if the data transfer falls under one of the statutory exceptions foreseen in Article 26 of the data protection directive.  The adequate level of protection shall be acknowledged to a third country in the light of all the circumstances surrounding a (or a set of) data transfer operation(s). Particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country. With regard to transfers of personal data to third countries and further defining of the notion of ‘adequate level of protection’ the Working Party 29 has adopted several Working Documents on the Transfers of personal data to third countries.

As regards the derogations from the rule of ‘adequate data protection’, Article 26(1) of the data protection directive provides that a Member State may authorise a transfer of personal data to third countries which do not ensure an adequate level of protection, on one of the following conditions: 

1. when the data subject has given his consent unambiguously to the proposed transfer 

2. if it is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject’s request  

3. when the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party 

4. if it is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims 

5. when the transfer is necessary in order to protect the vital interests of the data subject 

6. when the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case. 

In addition, data transfer to third countries which do not ensure an adequate level of protection can be realised in cases where ‘[…] the [data] controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses’.

In order to facilitate the national supervisory authorities the European Commission adopted on 15 June 2001 a decision on standard contractual clauses for the transfer of personal data to third countries (2001/497/EC). In its decision, the Commission provides the Member States with safeguards in the form of a set of standard contractual clauses. The transfer to a third country may take place, if the ‘data exporter’ (the controller who transfers the personal data) and the ‘data importer’ (the controller who agrees to receive from the data exporter personal data for further processing in accordance with the terms of the decision 2001/497/EC) agree that the further processing of the personal data received by the data importer will be in accordance with the terms of the clauses.

On the basis of Article 25(6) data protection directive the Commission has the power to determine whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. Until now the Commission has issued decisions on the adequacy of the data protection in Argentina, Canada, Switzerland, United States - Transfer of Air Passenger Name Record (PNR) Data, United States - Safe Harbour, Guernsey and the Isle of Man.

Mobility creates uncertainty regarding the physical location of the processor, the controller or even the data itself. For instance an issue that generated long discussions was whether the loading of personal data on a webpage, which is accessed by some user from a country outside the EU or the EEA shall be considered as transfer of data to a third country. The Dutch Data Protection Authority stated that ‘making information available through the Internet by means of a website is a form of publication’.

This vigorously disputed issue was resolved by the European Court of Justice, which ruled that data available on a website are not directly transferred between the person that uploaded the data and the person that accessed them but through a computer. Furthermore, the Court held that ‘[i]f Article 25 of Directive 95/46 were interpreted to mean that there is transfer [of data] to a third country every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet. […] Thus, if the Commission found, pursuant to Article 25(4) of Directive 95/46, that even one third country did not ensure adequate protection, the Member States would be obliged to prevent any personal data being placed on the internet’. The Court concluded that ‘there is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country’.