Tim Pullan is a solicitor in the IT Telecoms Group at ArnheimTite & Lewis. He may be contacted at tim.pullan@uk.pwcglobal.com.
On 12 July, the Government announced that the UK Data Protection Act 1998will come into force on the 1 March 2000. This announcement has ended months ofspeculation about the start date for the new legislation, which implements theEU Data Protection Directive in the UK.
The Government is currently in the process of publishing draft secondarylegislation for the 1998 Act. New drafts were published shortly after theannouncement on 12 July.
Preparing for Compliance
For many organisations, especially those that are heavily reliant on IT torun their business processes, gearing up for 1 March 2000 may involve anextensive compliance programme, focusing both on procedural and technicalaspects of the business. There may be a particular impact on those in theE-business sector, where the impact of the new regime will have to considered inthe context of future requirements under numerous E-business regulatory regimesbeing developed around the world, including here in the UK, where a draftElectronic Communications Bill was published in July.
Many companies that we advise are already taking the new regime into account,particularly where the design and implementation of new IT infrastructure isconcerned. However, in many cases, the revision of procedures relating to legacysystems and data archives may be more problematic, although some transitionalrelief may be available.
Before undertaking a data protection review, organisations need to fullyunderstand the following issues:
- what is the scope of 1998 Act?
- are there any relevant transitional measures that will extend the deadline for compliance?
- how can compliance be determined effectively?
Scope of the 1998 Act
For the sake of brevity, this article does not cover the general scope of thenew regime, especially as most SCL readers should be familiar with thefundamental changes that will be brought about by the 1998 Act.
It is the restriction on the transfer of personal data out of the EuropeanEconomic Area (the eighth principle) that continues to cause most uncertaintyabout the scope of the 1998 Act in practice.
The eighth principle prohibits such transfers unless there is an adequatelevel of protection for personal data in the destination country or unless oneof the specific derogations applies.
(Very) broadly speaking, the UK Data Protection Registrar advises that, if anadequate level of protection does not exist in the destination country (ie arethere no or inadequate data protection laws/regulations in force), thetransferor is required to assess whether adequate protection exists for thetransfer in question, taking into account all the circumstances. If it does not,the transfer may still proceed if it falls within one of the derogations underthe 1998 Act – for example, the informed consent of the individuals identifiedby the personal data to the transfer. The process of ascertaining circumstantialadequacy may involve the use of contracts to impose suitable data protectionobligations on recipients.
In the absence of a ‘finding’ by the European Commission that a countryprovides adequate protection, it will be for the transferor to determine whethera presumption of adequacy can be made about the country concerned, beforeembarking if necessary on the circumstantial assessment of adequacy. Given thatthere are no findings at present, this is clearly a problematic area fororganisations seeking legal certainty looking ahead to 1 March 2000.
Over the past year, the Registrar has been actively consulting with variousorganisations and working parties with the aim of developing a coherent set ofguidelines for applying the eighth principle in practice. The most recentdevelopment in this regard (29 July) is the publication of the preliminary viewof the Registrar1 on a ‘good practice’ approachto assessing adequacy. This summarises much of the consultation work that hasbeen carried out recently.
The good news is that:
- the European Commission is currently considering making findings and is likely to do so;
- the Registrar considers that a presumption of adequacy can be made in respect of most, if not all, transfers of personal data to processors outside the EEA, provided that the transferors are in compliance with other relevant provisions of the 1998 Act (eg security requirements); and
- where international data transfers are being made between group companies, internal codes of practice for the group may be sufficient for there to be a strong presumption regarding the adequacy of protection – such a presumption may also apply to transfers between professional advisors with international clients, and in other similar situations.
However the Registrar considers that reliance upon a derogation such asconsent, without a detailed assessment of adequacy, is not best practice and ismore likely to lead to a breach of data protection principles.
Moreover, whilst transferors may be able to make a presumption of adequacyabout the country in question based on guidelines2adopted by the European Commission, no actual examples of the application ofthese guidelines are provided. The guidelines are intended to be an objectivetest of a country’s legal/regulatory framework. It begs the question why, ifthe transferors are considered competent to carry out this analysis, theEuropean Commission (which is more qualified in this respect) has yet to make afinding. The answer is that there are certain implications associated withmaking a finding that have delayed the European Commission from taking thisstep. The fact remains that, for UK transferors, the situation remains uncertainwith regard to key jurisdictions outside the EEA, including the US, in respectof which the European Commission has yet to agree to the US ‘safe harbours’proposal.
The Registrar considers that a fundamental weakness with regard to dataprotection contracts is the current inability of English law contracts to grantrights that non-parties (in this case, data subjects) can enforce. However, herpreliminary view does make reference to the Contracts (Rights of Third Parties)Bill currently before Parliament. The Registrar points out that this statutoryamendment to the ancient rule of privity may resolve this difficulty.
The privity issue, along with other concerns that the Registrar has inrelation to ‘model’ contracts recently proposed by organisations such as theCBI, means that she is not currently prepared to approve any particular set ofterms to cover transfers to countries which are not the subject of a finding orwhich do not satisfy the Commission’s guidelines. Her approval of a modelcontract would provide a derogation for certain transfers made on such terms tothese countries. Without such approval, where contracts are required to ensurean adequate level of protection, transferors will have to rely on their ownjudgement as to the terms that are appropriate in each case.
Transitional Measures
The Government was under an obligation to implement the EU Data ProtectionDirective by 24 October 1998, and the 1998 Act was drafted with that date inmind. In the event, only the UK Government itself was bound by the new dataprotection regime from that date.
The Act allows for two transitional periods, the first ending on 23 October2001 and the second ending on 23 October 2007. For IT systems, only the firsttransitional period, which will provide in effect a 19ø month period of grace,will be relevant. There are a number of exemptions that may be available duringthis time.
Organisations can take advantage of the first transitional period only if theprocessing of data concerned was already underway immediately before 24 October1998.
Clearly, where legacy systems and procedures that require extensivecompliance work do meet the criteria for the first transitional period,organisations may want to take advantage of the extension. However, it is likelythat many businesses will have a mixture of processing operations, some of whichqualify for transitional relief and others that do not.
Where possible, it may be simpler to harmonise working practices across theorganisation with the new law in mind. Much will depend on the circumstances ofeach case and the solution may need to be one of commercial expediency.
Determining Compliance
Organisations will have to take the new law and the Registrar’s guidelinesinto account in reviewing working practices.
In relation to some of the key obligations, particularly the eighthprinciple, organisations should be aware that guidance issued by the UKRegistrar may be subject in the coming months to actions taken by the EuropeanCommission.
Generally, organisations will have to decide for themselves whether they arein compliance with the new regime, and will in each case, have to make – andtake responsibility for – reasoned judgements about their relevant workingpractices. The Registrar adopts the role of providing guidance to those whoprocess personal data and, where she identifies breaches of the law, takingaction to enforce data protection obligations. Generally, therefore,organisations looking ahead to 1 March 2000 will need to take specialist advicein preparing for compliance.
A very welcome development is that the Registrar recently announced (13 May)that an audit manual would be prepared to assist her own audit functions and tobe made available to the public generally. Latest indications are that themanual should be available in a couple of months’ time.
Endnotes
1. ‘The Data Protection Registrar’s legal analysis and suggested ‘‘Good Practice Approach’’ to assessing adequacy including consideration of the issue of contractual solutions’, version 1. This is the preliminary view of the Registrar on these issues.
2. Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data (European Commission ref. DG XV D/5025/98 WP12) – adopted 27 July 1998.