[Update: The European Commission decided on 31 January 2011 that the State of Israel is considered as providing an adequate level of protection for personal data. This permits data transfers in relation to automated processing only and excludes the exchange of data for national security purposes. It is mostly relevant to intra-company transfers; for example where an EU multinational has a place of business in Israel which might provide back-office services to the EU parent (eg. payroll processing or CRM).]
The Irish media yesterday gave prominence to the unexpected decision of the European Commission to halt a procedure under which Israeli data protection law would be recognised in the European Union. The Irish Times and RTÉ news reports on Thursday evening both opened with almost the exact same sentence:
The European Commission has halted a proposal to allow Israel access to potentially sensitive data on European Union citizens following concerns expressed by the Irish Government.
To me, this sentence suggests that the Israeli government would somehow have access to personal data about EU citizens. This is not the case. The proposal would merely have simplified cross-border transfers of personal data which can and do already occur. The failure of the Commission to approve Israel does not mean that such transfers cannot take place, only that they require extra paperwork.
It’s a technical legal issue, but one which has been simplified to a disappointingly misleading extent. (Today’s print report from the Times was a little more accurate.)
The use of bogus Irish passports by assassins and the suggestion that a stash of personal data was en route to Israel, but for the efforts of Dermot Ahern, makes for an exciting story. Unfortunately, reality is more mundane.
The Data Protection Directive imposes obligations on data controllers (holders) and data processors (users) of personal data. The Directive is implemented in Irish law by the Data Protection Acts 1988 and 2003, section 11 of which provides:
The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data …
The question of whether or not a country ensures an adequate level of protection for privacy and fundamental rights is primarily determined by the European Commission, which can approve countries for that purpose. The Commission has approved Switzerland, Canada, Argentina, Guernsey and the Isle of Man. The Commission has also approved certain transfers to the US, once they fall under the Department of Commerce Safe harbor Privacy Principles or the Bureau of Customs and Border Protection Air Passenger Name Record system.
So, the default position is that personal data cannot be transferred from the EU to an unapproved country. However, this is not an absolute prohibition on such transfers: section 11(4) of the DPA provides that the restriction does not apply in certain circumstances, which can be summarised as follows:
- if the transfer required or authorised by law;
- if the data subject has consented to the transfer;
- if the transfer is necessary for contractual reasons in the interests of the data subject;
- if the transfer is necessary for reasons of substantial public interest;
- if the transfer is necessary for the purposes of obtaining legal advice;
- if the transfer is necessary in order to prevent injury or other damage to the health or property of the data subject;
- if the transfer is of part only of personal data on a public register;
- if the transfer has been authorised by the Data Protection Commissioner; or
- the transfer is made on terms of a kind approved by the Commissioner.
This represents a variety of ways in which the section 11 prohibition on transfers abroad can be worked around, though guidance on using these exemptions means that they are not as wide as they may seem at first.
Nevertheless, these exemptions are frequently used to facilitate cross-border data transfers. The most common examples of such transfers are those between group subsidiaries or transfers to service providers, usually for back-office services (finance, customer support, etc).
The most frequently used exemptions to section 11 are data subject consent, contractual necessity and transfers on terms approved by the Commissioner. This latter category involves the use of European Commission-approved model contracts which must be entered into by the transferor and transferee, or the use of binding corporate rules in the case of multinationals. These pass through EU data protection standards and obligations to the recipient of the data transfer.
The Israel incident
The European Commission websites do not appear to have any details of the recent developments in relation to Israel, but it is assumed that the proposal before the European Commission was to approve Israel as a country which ensures an adequate level of protection for privacy and fundamental rights.
If approval had gone through (and it seems that it may yet), transfers of personal data could have been made to Israel from the EEA without having to put in place additional measures like data subject consent or inter-party contracts. However, the transferor would still be subject to domestic data protection legislation and an Irish transferor would, for example, still be liable to data subjects.
The proposal would not have given anyone, as of right, access to the personal data of EU citizens. Neither does the failure of the proposal prevent the transfer of such data from the EEA to Israel: such transfers will just have to continue to operate under the exemptions listed above.