Law: Data transfer proposals lay a trap for business

Imagine your company is negotiating to acquire another company. As part of your research, you might come across the address, phone, and e-mail details of the finance director and, possibly, his employment history, salary, and golf club. All of which are, technically, personal data. Now, you want to transfer the data to your US parent company.

Or, your business may or may not be global, but let us assume that it transfers personal data quite frequently outside the EU: candidates' CVs, transaction data, or simply employees using e-mail for gossip which includes personal information.

These data transfers could be illegal from 24 October 1998. By that date, Britain and other member states of the EU must have implemented the European directive on the processing of personal data. Draft legislation is due soon and its significance to business will be enormous. Not only could the data transfers I have mentioned be illegal, but countless others could be as well. And the burden of assessing what is or is not allowable will rest upon business until sufficient case law is in place to guide us.

An important part of the new legislation will either ban or regulate the transfer of personal data to those countries outside the EU which have limited or no data protection legislation of their own. The rationale for this is clear: there is little point in having detailed national (EU) laws to protect your own citizens' personal information if data users can simply transfer that information to a third country that lacks such protection, and use it there as they please. We in Britain are, on paper at least, protected against these types of data transfers by the 1984 Data Protection Act, although in 13 years the Data Protection Registrar has only issued one transfer prohibition notice.

From next October, there will be an overhaul of the law in this area (as part of a wider revision of our data protection legislation). As yet, the Government has issued little information or guidance to business on how to deal with the impending changes to the data transfer rules. Information flow is the lifeblood of international business and companies ought to be aware of the restrictions to be imposed.

The first change to the law on transferring data across national boundaries is that no EU country will be able to block data transfers within the EU simply because one member state's data protection is not as high as another's. We shall have a EU-wide free-trade zone for personal data. The second change will make our rules for data transfers outside the zone much tougher - with immediate effect for new processing operations, and from 2001 for pre-existing processing. There will be only three circumstances in which personal data may be transferred outside the EU. First, where the receiving country has "adequate" protection. Second, for certain pre- approved categories (for example, where the data subject has consented or where the transfer is necessary to perform a contract actually made with the data subject). And third, where an exemption is granted by the relevant member state.

Determining adequacy is the problem for UK business. Whereas the directive makes member states the first port of call in any adequacy determination, the Home Office's July 1997 paper on the Government's proposals firmly shifts that responsibility on to the individual business which "will need to decide in the first instance on the adequacy of protection in third countries to which [he] proposes to export data".

So how do you determine whether a company will be operating within the law? Official guidance may be available from the European Commission which will, over time, publish findings on the adequacy or inadequacy of non- EU countries. Guidance will also be available from the directive's working party which may provide opinions on the level of protection in non-EU countries. Or you can seek help from the Data Protection Registrar (to be renamed the Data Protection Commissioner) who has been discussing with the Government whether to maintain a central databank of available information on levels of protection in non-EU countries. But none of this, such as it is, is going to be of much use in the early months because, until clear official guidance can be given to business, it is down to you. And if that were not enough, "adequacy" of protection in a non-EU country is to be determined on a data transfer by data transfer basis. So a country may be adequate for one type of data transfer but not another.

Exemptions by member states may be created for journalists, so as to reconcile the rights to privacy with the rules on freedom of expression. It would also be possible for the UK to authorise data transfers where - in the words of the directive - the transferring business "adduces adequate safeguards" with respect to data protection. The directive suggests that those safeguards might result from appropriate contractual clauses (presumably, the contract would be between the EU transferor of data and the non-EU transferee). Many businesses have focused upon this possible contract- based exemption as a window of opportunity, probably rightly but it would certainly be unwise to assume that your business can sort everything out by an appropriate contract with the non-EU recipient of your data, not least because prior authorisation from the relevant member state will be required before the contract approach will work.

Unfortunately, it is still unclear what the penalties will be for non- compliance, whether from failing to think about the issue, or because the transfer was an e-mail sent by a colleague, or because you attempted to make an adequacy assessment but got the answer wrong. Will it be a criminal offence? Will damages be payable to the individual whose data you have transferred? The implication of the directive is that they will but as yet we just do not know.

And some big questions about the application of these new rules to the Internet remain to be answered. For example, given the trans-global nature of the Internet, when you include personal data on your website, are you really transferring it to every country in the world?

What is important now is for the Government and the Data Protection Registrar to provide information and guidance on the adequacy of data protection regimes in non-EU countries and for you, the business, to plan new operational procedures to fit into the pre-approved transfer categories and/or to apply under one of the exemptions. Businesses have less than a year to address these issues. So they and their advisers should put it on their agendas, up with EMU and Year 2000 systems compliance.

The writer is a partner at the London office of the international law firm Sidley & Austin.